Iranian Hacker Group Conducts Global Phishing Attack

A cyber-secu­ri­ty group spe­cial­iz­ing in Iran is report­ing that the Iran­ian-backed Phos­pho­rus hack­ing group (aka Charm­ing Kit­ten, APT35) has con­duct­ed a glob­al phish­ing attack direct­ed at tar­gets of inter­est to Iran­ian intel­li­gence. Accord­ing to the report by the  Lon­don-based CERTFA (Com­put­er Emer­gency Response Team in Farsi):

Dur­ing the Christ­mas hol­i­days and the begin­ning of the new year, the Charm­ing Kit­ten group, the Iran­ian state-backed hack­ers, have begun a tar­get­ed phish­ing cam­paign of espi­onage against dif­fer­ent indi­vid­u­als to col­lect infor­ma­tion. Charm­ing Kit­ten, also known as APT35 and Phos­pho­rus, is one of the hack­er groups backed by the Islam­ic Repub­lic of Iran. The group start­ed the new round of attacks at a time when most com­pa­nies, offices, orga­ni­za­tions, etc. were either closed or half-closed dur­ing Christ­mas hol­i­days and, as a result, their tech­ni­cal sup­port and IT depart­ments were not able to imme­di­ate­ly review, iden­ti­fy, and neu­tral­ize these cyber inci­dents. Charm­ing Kit­ten has tak­en full advan­tage of this tim­ing to exe­cute its new cam­paign to max­i­mum effect.

Read the rest here.

The report goes on to say that the phish­ing attack includ­ed think tanks, polit­i­cal research cen­ters, uni­ver­si­ty pro­fes­sors, jour­nal­ists, and envi­ron­men­tal activists in the coun­tries around the Per­sian Gulf, Europe, and the US.

The use to which any stolen mate­r­i­al will be put is unknown, but Phos­pho­rus has a his­to­ry of infil­trat­ing gov­ern­ment net­works of both adver­saries and peo­ple of influ­ence. Rel­e­vant Glob­al Influ­ence Oper­a­tions Report (GIOR) report­ing on Phos­pho­rus has included:

• We report­ed in Octo­ber 2020 that Phos­pho­rus report­ed­ly works for Iran­ian Intel­li­gence and has a his­to­ry of infil­trat­ing gov­ern­ment net­works of their adver­saries as well as the use of phish­ing attacks.

• We report­ed in Octo­ber 2020 that Phos­pho­rus was behind an Octo­ber 2019 failed attempt to breach accounts con­nect­ed with Pres­i­dent Trump’s re-elec­tion cam­paign as well as the accounts of jour­nal­ists and U.S. officials.

• We report­ed in Novem­ber 2020 that Phos­pho­rus was linked to an attempt to break into per­son­al e‑mail accounts of the Munich Secu­ri­ty Con­fer­ence attendees.