Cybersecurity researchers from Proofpoint have uncovered a new espionage campaign conducted by Iranian state-sponsored hackers, targeting Western thinktank members with backdoors. The campaign is notable for its ability to target both Apple and Windows-powered endpoints, adapting to the appropriate operating system as required. The hackers, known as TA453 or Charming Kitten, used phishing emails to impersonate professors and intellectuals engaged in nuclear energy research, luring victims to approve the sending of a research paper. Upon agreement, the victims received a newly identified PowerShell backdoor called GorjolEcho, or the Mac-specific NokNok malware.
The Significance of the Campaign: Proofpoint’s assessment suggests that TA453 operates under the command of the Islamic Revolutionary Guard Corps (IRGC) and the IRGC Intelligence Organization. As Iran is engaged in negotiations with Western powers regarding its nuclear weapons and facilities development, this campaign indicates Iran’s efforts to establish a favorable negotiating position. The agility demonstrated by Charming Kitten in switching between Windows and Mac malware highlights their determination to obtain valuable information. The use of multiple identities of known nuclear researchers adds credibility to the campaign but also emphasizes the need for caution in trusting email chains involving multiple individuals.
TA453’s Targeting and Tactics: TA453, active since at least 2017, primarily targets academics, researchers, diplomats, dissidents, journalists, and human rights workers. The group employs web beacons in message bodies and engages in benign conversations with victims before attempting to deploy malware. In addition to computer-based attacks, TA453 has attempted to lure individuals out in the open for potential kidnapping. The majority of the group’s targets are in the Western world, with some being Israelis.
Analysis from Other Sources: CybersecurityNews highlights TA453’s efforts to evade detection and limit disruptions from threat researchers, using Google Scripts, Dropbox, and CleverApps as part of its multi-cloud strategy. TechCentral emphasizes the adaptability of the threat actors, as the campaign targeted Mac-powered devices using LNK files instead of Microsoft Word documents with macros. The incident underscores the increasing popularity of Macs in the enterprise, making them a growing target for threat actors. While no compromises were reported, the campaign was described as extremely targeted, with only a small number of individuals identified as recipients of phishing emails.
The Iranian state-sponsored hacking group TA453, or Charming Kitten, has conducted a sophisticated espionage campaign targeting Western nuclear experts. The ability to target both Apple and Windows endpoints demonstrates their agility and determination to access valuable information. The campaign highlights the importance of vigilance in email communications and the need for robust cybersecurity measures to defend against such threats.
