“The ‘Charming Kitten’ Operation: From Spy Hunting to U.S. Elections”

30th August 2024

4 minutes read

"The 'Charming Kitten' Operation: From Spy Hunting to U.S. Elections"

“Charming Kitten,” a name recently gaining attention due to allegations of Iranian attempts to infiltrate U.S. elections, is also linked to a covert operation aimed at hunting spies.

This latest operation was uncovered by researchers from Mandiant, the American cybersecurity unit of Alphabet, who confirmed that the hackers are loosely connected to a group known as APT 42, which oversees attacks under the alias “Charming Kitten.”

How Was the Operation Discovered?

According to a study reported by U.S. News, Iran has been accused of using social media accounts, fake websites, and other methods to gather information on “Iranians and local threats, particularly those who may collaborate with foreign intelligence and security agencies, especially in Israel.”

The researchers indicated that “the collected data could be used to uncover human intelligence operations conducted against Iran and to track down any Iranians suspected of involvement in these operations.”

Why Did the Company Attribute the Operation to Iran?

Mandiant attributed the campaign to the Iranian government based on the tactics, techniques, and targeting observed.

The cybersecurity company clarified that it found no connection between this campaign and the operations recently discovered that target U.S. elections.

Mandiant revealed that over 40 fake recruitment websites were discovered, written in both Persian and Arabic, most of which advertised job opportunities in Israel, asking visitors to enter their personal information and other details.

The company also discovered several fake social media accounts on platforms like Twitter, Telegram, YouTube, and the Iranian social network Verasti. These accounts promoted recruitment companies offering jobs in IT, cybersecurity, and human resources.

The campaign seems to have started as early as 2017 and continued until March 2024, according to Mandiant, which added that similar campaigns were conducted on behalf of proxy groups in Syria and Lebanon.

Researchers found desktop and mobile versions of fake recruitment sites displaying similar content, designed to appear as though created by companies based in Israel.

Many of these websites specifically targeted military personnel in “the army, security, and intelligence services from Syria and Hezbollah in Lebanon.”

Mandiant also discovered a YouTube channel with a single video advertising a recruitment service, providing an email address for applicants to submit their information.

Mandiant stated that the campaign should be “a cause for concern for Iranian individuals suspected of cooperating with countries that Iran views as adversaries.”

They noted that “these individuals could include Iranian dissidents, activists, human rights defenders, and Persian speakers living both inside and outside Iran.”

The campaign casts a wide net, working across multiple social media platforms to spread its network of fake human rights websites in an attempt to expose Persian-speaking individuals who might be working with intelligence and security agencies, and therefore be seen as a threat to the Iranian regime.

“The data collected, such as addresses, contact details, along with professional and academic expertise, could be used in future operations against targeted individuals.”

A New Study and Malicious Software

In conjunction with Mandiant’s report, Microsoft published a study on another alleged Iran-based campaign involving a custom malware known as “Tickler.”

Microsoft reported that between April and July, an Iranian Revolutionary Guard-affiliated hacking group used Tickler in attacks on “targets in satellites, communications equipment, oil and gas, as well as federal and state government sectors in the United States and other countries.”

The campaign aims to gather intelligence as part of what Microsoft termed “long-term cyber operations.”

Microsoft tracks the actors behind the campaign, stating that their primary focus is on facilitating intelligence collection to support the Iranian government.

As with Google’s findings, Microsoft noted that since 2021, they have observed “Peach Sandstorm” using fake LinkedIn profiles posing as talent acquisition managers based in the United States and Western Europe.

They noted that “the Peach Sandstorm group primarily used them for intelligence gathering and potential social engineering against higher education and related sectors.”

As was the case with Google, Microsoft deleted the profiles once discovered.

Both reports come amid a wave of focus on Iranian cyber operations following news of alleged attacks on U.S. presidential campaigns.

Washington Proves Cooperation with Morocco, Ignores Polisario Demands

Tom Kellermann, a former White House cybersecurity official, highlighted that backdoors like those Microsoft exposed are proliferating across the defense sector, prompting the need to expand threat searches.

Kellermann, now Senior Vice President at Contrast Security, stated, “Iran’s cyber espionage capabilities have become more sophisticated due to Russian technology transfers. There is coordinated intelligence sharing between Iran and Russia due to their military alliance.”