Thursday, July 6, 2023

Iranian Hacking Group Impersonating Nuke Experts to Gain Intel From Think Tanks

Here is more from SC Media:

A cyber espionage group linked to the Iranian government has been impersonating think-tank employees to phish Middle Eastern nuclear weapons experts, according to researchers at Proofpoint.

The group — called “TA453,” “Charming Kitten” or “APT35,” depending on the threat intelligence service you’re relying on — has a long track record of targeting U.S. and European government officials, politicians, think tanks and entities involved in critical infrastructure.

The latest campaign detailed by Proofpoint dates from March to May of this year and begins with benign emails that seek to establish a rapport with foreign policy researchers in the West.

Those initial emails were later followed by phishing emails that link to a password-protected DropBox URL, ostensibly to access the research. Instead, it executes .RAR and LNK files and run a PowerShell script that installs a backdoor on the victim’s system, before calling out to a cloud hosting provider for additional malware payloads.

In one instance, the actor reached out several times in mid-May to a media relations contact for an unnamed U.S.-based think tank focused on foreign affairs.

The first email, purporting to be from Karl Roberts, a senior fellow and deputy director of terrorism and conflict at the Royal United Services Institute, asked for feedback on an Iranian-themed piece of research.


SC Media notes that it is not the first time that Charming Kitten has targeted think tanks in order to gather intelligence about Western foreign policy decision-making. 

Here is a 2021 Think Tank Watch piece about Iranian hackers masquerading as UK scholars to hack think tanks.