A cyber-security group specializing in Iran is reporting that the Iranian-backed Phosphorus hacking group (aka Charming Kitten, APT35) has conducted a global phishing attack directed at targets of interest to Iranian intelligence. According to the report by the London-based CERTFA (Computer Emergency Response Team in Farsi):
During the Christmas holidays and the beginning of the new year, the Charming Kitten group, the Iranian state-backed hackers, have begun a targeted phishing campaign of espionage against different individuals to collect information. Charming Kitten, also known as APT35 and Phosphorus, is one of the hacker groups backed by the Islamic Republic of Iran. The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents. Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect.
Read the rest here.
The report goes on to say that the phishing attack included think tanks, political research centers, university professors, journalists, and environmental activists in the countries around the Persian Gulf, Europe, and the US.
The use to which any stolen material will be put is unknown, but Phosphorus has a history of infiltrating government networks of both adversaries and people of influence. Relevant Global Influence Operations Report (GIOR) reporting on Phosphorus has included:
- We reported in October 2020 that Phosphorus reportedly works for Iranian Intelligence and has a history of infiltrating government networks of their adversaries as well as the use of phishing attacks.
- We reported in October 2020 that Phosphorus was behind an October 2019 failed attempt to breach accounts connected with President Trump’s re-election campaign as well as the accounts of journalists and U.S. officials.
- We reported in November 2020 that Phosphorus was linked to an attempt to break into personal e‑mail accounts of the Munich Security Conference attendees.