Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group’s TTPs overlap extensively with another group, Magic Hound, resulting in reporting that may not distinguish between the two groups’ activities.
Who is Charming Kitten?
The group identified as Charming Kitten appears to have also been previously attributed to another group dubbed Flying Kitten. This distinction was made through analysis of shared code between two different campaigns, either due to infrastructure reuse, or because people between groups were reused.
Behzad Mesri (AKA Skote Vahshat)
One such member was identified as Behzad Mesri (AKA Skote Vahshat) and was indicted for this involvement in the HBO hack and extortion campaign, which saw the leaking for confidential information and upcoming episodes for Game of Thrones.
According to the indictment, “Mesri is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure. At certain times, Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team”.
The public persona of Mesri, has apparently also given clues to affiliations with the HBO hack, and also provides some linkage to the Charming Kitten group. Whilst the HBO hack does not appear to be state sanctioned, the involvement in Mesri, and the reuse of tactics in Charming Kitten offensives provides some attribution.
ArYaIeIrAN (AKA email@example.com AKA firstname.lastname@example.org AKA email@example.com)
A 29 year old Iranian hacker and member of Turk Black Hat, whereby their handle ‘ArYaIeIrAN’ has been attributed to a number of website defacements where their handle has been displayed prominently.
The same email address, firstname.lastname@example.org, shows up in the SOA (Start of Authority) record of multiple domains registered and used by Charming Kittens. All domains have used the same ‘persiandns.net’ as their nameservers.
email@example.com also registered persiandns[.]net, potentially indicating that he is the administrator of the services and an employee in the company.
firstname.lastname@example.org and Mesri
A recorded defacement of a website attributed to both ArYaIeIrAN and Vahshat indicate that the two individuals knew each other, and were now working together along within additional personas known as BiLiWoW, Bl4ck.Viper, E2MA3N, 0day, and mars.
The website associated with persiandns[.]net at the time redirected to mahanserver[.]ir, indicating that the two entities are related. A Facebook search for mahanserver[.]ir indicated that Mohammad Rasoul Akbari was/is the CEO of mahanserver[.]ir, a linked Twitter profile from the Facebook profile created a linkage to the moniker ra3ou1.
In addition, ra3ou1 and ArYaIeIrAN also followed each other on Twitter, indicating a further connection between the two. In addition Akbari was a Facebook friend of Mesri thereby tying all three identities to Charming Kitten.
Who are they targeting?
Charming Kittens have been known to target a wide range of groups, presumably due to a mixture of generated interest from the targets in Iranian affairs, or where Iran is interested in developments within those target organisations.
Some such targets include, Security Researchers, Universities, Defense related organisations, and Government agencies.
What are their tactics?
The Charming Kittens group primarily focus their efforts on compromising systems through social engineering based attacks. These include, social media impersonation, spear-phishing using social engineering, and spear-phishing via SMS messages.
The impersonation method includes four different techniques such as spear-phishing emails with a link to Google Sites, Smishing, Login attempt alert message, and Social networking impersonation.
Technique – Google Sites
One such method utilized is in sending crafted emails purporting to share files through Google Drive (or other file sharing platforms). Once the target receives the email, clicks on the link, and interacts with the site located within the Google domain, the victim’s Google account credentials are harvested.
The second impersonation technique is Smishing, where an SMS message is sent to the target which uses a Sender ID of ‘Live Recover’. The message contains an alert about a compromise attempt and requests the target to verify it through an attached link. Upon clicking on the link, the victims are redirected to an address shortening service where their credentials are harvested.
Login attempt alert message
The third technique employs a fake unauthorized login attempt alert message which claims that a person from North Korea has attempted to compromise the victim’s Yahoo email account. The message then urges the victim to secure his/her account.
Social networking impersonation
The final technique includes social networking impersonation. In this method, the group has created additional phishing sites pretending to be Instagram, Facebook, and Twitter accounts.
Researchers noted that one of the sites of the infrastructure included an open directory at port 80 which contained files relevant for the deployment of different phishing sites.
What infrastructure have they operated on?
Charming Kitten have been observed to utilize a combination of public cloud, and private cloud infrastructure to host their attack platforms, and phishing kits. This also includes IP addresses within Iranian assigned ASNs.
When have they been known to be active?
The group members associated with Charming Kittens have been known to be active from 2013 onwards in various guises and campaigns. Notably, there are occurences of indictments and activities which connect various members of this group to each other, and then subsequently to campaigns.
Those events being:
- Monica Witt defection (2013)
- HBO hack and extortion (2017)
- 2020 US Election interference attempts (2019)
How can they be detected?
Charming Kittens do not have a high level of sophistication in the construct of their campaigns, and rely primarily on social engineering based techniques and vectors to gain credentials for sensitive accounts.
They primarily rely on the use of public cloud infrastructure, or the use of typo squat domain names in an effort to capture credentials of victims.
Mitigation of identified techniques
Being that the primary method being utilized by Charming Kitten is social engineering, user awareness and training should be considered as prime importance to detect campaigns.
In addition, the use of Two-factor authentication on all external access points into an organization’s infrastructure should be considered to safeguard against password spraying, or lost credentials.
Furthermore, reputation based blocks on domain names should be implemented to block newly registered domain names from being accessed. This may also lead to content-inspection and TLS resigning requirements to inspect network traffic of indicators of compromise.