London, 17 Dec – The personal emails of American officials tasked with enforcing the recently reimposed sanctions were targeted by Iranian hackers last month, according to The Associated Press.
London-based cybersecurity group Certfa tracked a hacking group nicknamed Charming Kitten. The AP believes that the group spent the past month trying to break into the private emails of more than a dozen U.S. Treasury high-profile individuals involved in the nuclear deal between Washington and Tehran. Atomic scientists, Iranian civil society figures, and D.C. think tank employees were also allegedly targeted.
Among those targeted was Frederick Kagan, a scholar at the American Enterprise Institute. He has previously written about Iranian cyber-espionage. He explained, “Presumably, some of this is about figuring out what is going on with sanctions,” and added that he was alarmed by the targeting of foreign nuclear experts. “This is a little more worrisome than I would have expected,” he said.
Charming Kitten mistakenly left one of its servers open to the internet last month, allowing researchers at Certfa to discover the list. They extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers, and gave it to the AP for further analysis. The addresses provide considerable insight into Tehran’s espionage priorities, but it’s not unclear how many of the accounts were successfully compromised. However, Certfa researcher Nariman Gharib said, “The targets are very specific.”
In a report published Thursday, Cerfta tied the hackers to the Iranian government. The hackers seem to have accidentally revealed that they were operating from computers inside Iran. Allison Wikoff, a researcher with Atlanta-based Secureworks, who has tracked Charming Kitten, recognized some of the digital infrastructure in Certfa’s report and said the hackers’ past operations left little doubt they were government-backed.
Iran has denied hacking operations, but the AP analysis of the targets suggests that Charming Kitten is working in close alignment with the Islamic Republic’s interests.
Certfa said that the Charming Kitten campaign relies on a technique is commonly used by hackers — the password-stealing “phishing” that mimics the look and feel of Gmail security alerts. Certfa’s data shows that at least 13 U.S. Treasury employees’ personal emails were targeted. One email account belongs to a director at the Financial Crimes Enforcement Network that fights money laundering and terror financing, and another is used by the Iran licensing chief at the Office of Foreign Asset Control who is in charge of enforcing U.S. sanctions. The signs seem to point to a state-backed operation.
“It doesn’t look like freelancers,” Kagan said.