Iran-linked spies used Christmas as cover for spearphishing, researchers say

The group known as Charming Kitten used malicious links to capture login credentials and steal data, CERTFA said.
sms, mobile, email, phishing, spearphishing
(Getty Images)

A cyber-espionage group linked to the Iranian government timed a mobile phishing campaign with the Christmas holidays, using email and text messages to target individuals at think tanks, universities and elsewhere, according to new research.

Known as Charming Kitten, APT35 or Phosphorous, the group sent fake text messages from “Google Account Recovery” and fake emails with Christmas content, reports the cybersecurity organization CERFTA, which specializes in Iran-related research. The goal was to use malicious web pages to capture login credentials and “steal sensitive data from their victims,” CERTFA said.

“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents,” CERTFA says. “Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect.”

The emphasis was on targets in the Persian Gulf, Europe, and the U.S., including think tanks, political research organizations, professors, journalists, and environmental activists, the researchers said. The FBI and Department of Homeland Security had warned think tanks in December to be on alert for foreign hacking activity as nation-state groups ramp up espionage ahead of the transition to President-elect Joe Biden’s administration.


The spies sent text messages and emails containing links that appeared to be legitimate, but eventually pointed victims to malicious sites that could capture their credentials, the researchers said.

“We can conclude that Charming Kitten has used complex techniques to gain access to individuals and organizations that Iranian intelligence services are interested in targeting,” said CERTFA, which stands for Computer Emergency Response Team in Farsi. Founder Amin Sabeti is based in London.

Charming Kitten was most interested in personal email accounts through Gmail, Yahoo! and Microsoft Outlook, as well as work-related accounts, the researchers said. Espionage, and not destructive attacks, appeared to be the primary goal.

“[T]he attackers try not to leave any trace of themselves and, even after gaining access to their victims’ accounts, they do not block the victims’ access to their own accounts,” the researchers said.

CERTFA’s report comes as U.S. national security agencies are ramping up pressure on the Iranian regime in the final days of the Trump administration. The U.S. Treasury Department on Wednesday sanctioned an Iranian venture capital firm that specializes in technology companies. The U.S. also is continuing to investigate alleged Iranian attempts to disrupt the 2020 elections through disinformation and other tactics.

Latest Podcasts