Iranian hacking group impersonating nuclear experts to gain intel from Western think tanks
A cyber espionage group linked to the Iranian government has been impersonating think-tank employees to phish Middle Eastern nuclear weapons experts, according to researchers at Proofpoint.
The group — called “TA453,” “Charming Kitten” or “APT35,” depending on the threat intelligence service you’re relying on — has a long track record of targeting U.S. and European government officials, politicians, think tanks and entities involved in critical infrastructure.
The latest campaign detailed by Proofpoint dates from March to May of this year and begins with benign emails that seek to establish a rapport with foreign policy researchers in the West.
Those initial emails were later followed by phishing emails that link to a password-protected DropBox URL, ostensibly to access the research. Instead, it executes .RAR and LNK files and run a PowerShell script that installs a backdoor on the victim’s system, before calling out to a cloud hosting provider for additional malware payloads.
Full infection chain for GorjolEcho, one of the malware payloads deployed by Charming Kitten (Source: Proofpoint)
Joshua Miller, senior threat researcher at Proofpoint, told SC Media the campaign appears to be extremely targeted: thus far they are aware of fewer than 10 individuals who received phishing emails from the group. Miller said their visibility over the campaign is restricted to data and follow-ups culled from Proofpoint customers, and that none were successfully infected.
It’s not the first time Charming Kitten, which U.S. officials have linked to Iran’s Islamic Revolutionary Guard Corps’ intelligence organization, has targeted think tanks and other research institutions, seemingly in an effort to gather intelligence about Western foreign policy decision-making. While the group has targeted government officials in the past, they may find it easier to obtain some of the same information they’re looking for by targeting and compromising parties at the edge of those discussions.
“When we see them go after think tanks [and] academics, basically they’re informing the policy positions of the West and governments for nuclear sanctions or diplomatic policies. The idea is that that…
