ClearSky researchers have recently published a report that details a campaign wherein Iranian hacker group Charming Kitten targeted human rights activists, academic experts, and journalists specializing in Iranian affairs.
The attack campaign, that started in July 2020, has been impersonating journalists, particularly those from the German broadcasting company Deutsche Welle and the Israeli magazine Jewish Journal.
- The hackers have been using malicious emails alongside WhatsApp messages and fake LinkedIn profiles as channels to approach their targets and convince them to open a malicious link or to conduct a call between the victim and the Iranian hackers.
- They posed as Persian-speaking journalists to neutralize detection through accent while having the phone call.
- Hackers left no stone unturned; be it phishing or waterholing methods, they tried everything to infect the victims with malware instead of stealing their credentials.
- In late 2019 and early 2020, the same group also posed as journalists working for the Wall Street Journal.
Towards the expansion
In this attempt, Charming Kitten has expanded its target list by adding many well-known names to its target list.
- At the beginning of Jun 2020, Charming Kitten had targeted high-ranking American civil servants and officials, along with President Donald Trump and Democratic nominee Joe Biden.
- In early-May, Charming Kitten launched attacks against COVID-19 related organizations (such as Gilead and WHO).
WhatsApp phone call - a near-future trend
Charming Kitten is not the first threat actor who has used WhatsApp phone calls in recent months. In August 2020, the North Korean hacker Lazarus group followed the same method (i.e. calling directly on the phone and over WhatsApp) in the ‘Operation Dream Job’ to gain victims' trust.
The bottom line
Earlier, the group used emails with a malicious link or file attached and SMS to reach out to victims. Now, they have upgraded their tactics to the next level. By making personal phone calls, they can gain greater trust from the victim, compared to an email message, which makes this group even more of a dangerous threat.