Iranian Cyberspy Caught on Zoom Trying to Hack U.S. Target

iran hacker video phishing attempt iran-hacker-video.jpg - Credit: Adobe Stock

iran hacker video phishing attempt iran-hacker-video.jpg – Credit: Adobe Stock

Last month, a U.S. academic logged into a Zoom meeting with “Samuel Valable.” The academic had heard from “Valable” via a LinkedIn account, suggesting the two meet. When the academic logged on, the figure on the other end came through in grainy stills, blaming a bad internet connection for his lack of live footage. Midway through the conversation, he dropped what appeared to be a Google Books link into the Zoom chat. “This is the book that I use as my main material. It’s down here. I sent it in the little chat box,” says “Valable” in the video as a web link with the name “googlebook” appears in the Zoom chat window.

The academic became suspicious, and thanks to some quick thinking — and with the help of a group of cybersecurity researchers — they’ve captured the first-known public live action-recording of an Iranian cyber-spy at work.

More from Rolling Stone

The real Samuel Valable, a French biologist, was nowhere near the Zoom call. Instead, the academic was Zooming with a member of “Charming Kitten,” a cybersecurity industry nickname for a group of hackers affiliated with Iran’s Islamic Revolutionary Guard Corps intelligence organization. And the “Google Book” link was actually a phishing link designed to trick users into “signing in” to a real-looking Google Accounts page and steal their password.

The U.S. academic — who shared the story on the condition of anonymity — wasn’t fooled. Instead, they recorded the call and sent it to the Computer Emergency Response Team in Farsi (CERTFA), a cybersecurity research group that tracks Iranian hackers. The fake links used by the hackers pointed to infrastructure previously used by and attributed to Charming Kitten.   

Live action role playing by a trained, english-speaking impersonator over Zoom represents the next phase of an evolving Iranian hacking campaign. The “Distinguished Impersonator” tactic —  first identified by CERTFA  — moves past traditional tricks like phishing emails and instead present targets with a more reassuring lure—a talking, seemingly authentic representation of a trusted public…