Iran Focus
London, 14 Dec – Last month, Iranian hackers attempted to break into personal emails of American officials tasked with enforcing the recently reimposed sanctions, according to The Associated Press.
Data gathered by London-based cybersecurity group Certfa tracked a hacking group nicknamed Charming Kitten. The AP believes that the group spent the past month trying to break into the private emails of more than a dozen U.S. Treasury officials.
Allegedly, high-profile individuals involved in the nuclear deal between Washington and Tehran, as well as atomic scientists, Iranian civil society figures, and D.C. think tank employees were targeted.
Frederick Kagan, a scholar at the American Enterprise Institute who has written about Iranian cyber-espionage was among those targeted. He said, “Presumably, some of this is about figuring out what is going on with sanctions,” and added that he was alarmed by the targeting of foreign nuclear experts. “This is a little more worrisome than I would have expected,” he said.
Charming Kitten mistakenly left one of its servers open to the internet last month , and the list was discovered by researchers at Certfa. They extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers, and gave it to the AP for further analysis. The addresses provide considerable insight into Tehran’s espionage priorities, but
it’s not unclear how many of the accounts were successfully compromised. However, Certfa researcher Nariman Gharib said, “The targets are very specific.”
Cerfta tied the hackers to the Iranian government in a report published Thursday. The hackers seem to have accidentally revealed that they were operating from computers inside Iran. Allison Wikoff, a researcher with Atlanta-based Secureworks, who has tracked Charming Kitten, recognized some of the digital infrastructure in Certfa’s report and said the hackers’ past operations left little doubt they were government-backed.
Previously, Iran has denied hacking operations. but, the AP analysis of the targets suggests that Charming Kitten is working in close alignment with the Islamic Republic’s interests.
Certfa said that the Charming Kitten campaign relies on a password-stealing technique called phishing that mimics the look and feel of Gmail security alerts. This technique is commonly used by hackers. Certfa’s data shows that at least 13 U.S. Treasury employees’ personal emails were targeted. One email account belongs to a director at the Financial Crimes Enforcement Network that fights money laundering and terror financing, and another is used by the Iran licensing chief at the Office of Foreign Asset Control — in charge of enforcing U.S. sanctions.
Kagan said the signs point to a state-backed operation. “It doesn’t look like freelancers,” he said.
