Have you heard of BadBlood? No, not the song. It is this spearphishing campaign whose purpose was to steal credentials from medical professionals. The campaign has finally been linked to the Charming Kitten APT.

What’s going on?

This late-2020 spearphishing campaign aimed to steal the credentials of 25 senior medical researchers in oncology, neurology, and genetic research in the U.S. and Israel. Charming Kitten or TA453 usually targets academics, dissidents, journalists, and diplomats. Hence, the targeting of senior researchers is a departure from the group’s usual activity.

Why does it matter?

The trend of targeting medical researchers has clearly been escalating due to various reasons, one of them being COVID-19 vaccine research. BadBlood is just another addition to that wagon. Although the motives for the attacks have not been clearly demarcated by researchers, the conjecture is that it is an ad hoc incident to gather intelligence that can be used in future phishing campaigns.

About Charming Kitten

  • This is an Iranian-sponsored APT group and has been around since at least 2014.
  • It is mainly known for cyberespionage and boasts of an arsenal containing 240 malicious domains, at least 85 IP addresses, and hundreds of fake identities.
  • It was last visible in November 2020 when it launched spoofing attacks against attendees of the Munich Security Conference and Think 20 Summit in Saudi Arabia.
  • The group was also associated with targeting former President Trump’s reelection campaign.

The bottom line

BadBlood is not one of its kind, however, for TA453, it implies a shift in collection priorities. Further investigation will reveal more about the goals of this APT group regarding the medical sector. Nevertheless, it is necessary to strengthen security postures before further damage is done. Moreover, identifying phishing emails has become a necessary skill in today’s world as nobody is exempt from cyberattacks.

Cyware Publisher