Charming Kitten

Charming Kitten
Модный мишка
Formation	c. 2004–2007
Type	Advanced persistent threat
Purpose	Cyberespionage, cyberwarfare
Region	Middle East
Methods	Zero-days, spearphishing, malware, Social Engineering, Watering Hole
Membership	At least 5
Official language	Persian
Parent organization	IRGC
Affiliations	Rocket Kitten APT34 APT33
Formerly called	APT35; Turk Black Hat; Ajax Security Team; Phosphorus

Last updated April 14, 2024

Charming Kitten, also called APT35 (by Mandiant), Phosphorus or Mint Sandstorm (by Microsoft),^[1]Ajax Security (by FireEye),^[2] and NewsBeef (by Kaspersky ^[3]^[4]), is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

History

Witt Defection (Early 2013)

In 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica Witt defected to Iran^[7] knowing she might incur criminal charges by the United States for doing so.^{[ citation needed ]} Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.^{[ citation needed ]}

HBO cyberattack (2017)

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched^{[ by whom? ]} on the grounds that confidential information was being leaked. A conditional statement by a hacker going by alias Sokoote Vahshat (Persian سکوت وحشت lit. 'Silence of Fear') said that if money was not paid, scripts of television episodes, including episodes of Game of Thrones , would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.^[8] HBO has since stated that it would take steps to make sure that they would not be breached again.^[9]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information.^[10]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The Iranian government denied any involvement.^[11]^[12]

Second Indictment (2019)

A federal grand jury in the United States District Court for the District of Columbia indicted Witt on espionage charges (specifically "conspiracy to deliver and delivering national defense information to representatives of the Iranian government"). The indictment was unsealed on February 19, 2019. In the same indictment, four Iranian nationals—Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar—were charged with conspiracy, attempting to commit computer intrusion, and aggravated identity theft, for a campaign in 2014 and 2015 that sought to compromise the data of Witt's former co-workers.^[13]

In March 2019, Microsoft took ownership of 99 DNS domains owned by the Iranian government-sponsored hackers, in a move intended to decrease the risk of spear-phishing and other cyberattacks.^[14]

2020 Election interference attempts (2019)

According to Microsoft, in a 30-day period between August and September 2019, Charming Kitten made 2,700 attempts to gain information regarding targeted email accounts.^[15] This resulted in 241 attacks and 4 compromised accounts. Although the initiative was deemed to have been aimed at a United States presidential campaign, none of the compromised accounts were related to the election.

Microsoft did not reveal who specifically was targeted, but a subsequent report by Reuters claimed it was Donald Trump's re-election campaign.^[16] This assertion is corroborated by the fact that only the Trump campaign used Microsoft Outlook as an email client.

Iran denied any involvement in election meddling, with the Iranian Foreign Minister Mohammad Javad Zarif stating "We don’t have a preference in your election [the United States] to intervene in that election," and "We don’t interfere in the internal affairs of another country," in an interview on NBC's "Meet The Press".^[17]

Cybersecurity experts at Microsoft and third-party firms such as ClearSky Cyber Security maintain that Iran, specifically Charming Kitten, was behind the attempted interference, however. In October 2019, ClearSky released a report supporting Microsoft's initial conclusion.^[18] In the report, details about the cyberattack were compared to those of previous attacks known to originate from Charming Kitten. The following similarities were found:

Similar victim profiles. Those targeted fell into similar categories. They were all people of interest to Iran in the fields of academia, journalism, human rights activism, and political opposition.
Time overlap. Verified Charming Kitten activity was ramping up within the same timeframe that the election interference attempts were made.
Consistent attack vectors. The methods of attack were similar, with the malicious agents relying on spear-phishing via SMS texts.

2022 HYPERSCRAPE, APT data extraction tool (2021)

On August 23, 2022, a Google Threat Analysis Group (TAG) blog post revealed a new tool developed by Charming Kitten to steal data from well-known email providers (i.e. Google, Yahoo!, and Microsoft).^[19] This tool needs the target's credentials to create a session on its behalf. It acts in such a way that using old-style mail services looks normal to the server and downloads the victim's emails, and does some changes to hide its fingerprint.

Per the report, the tool is developed on the windows platform but not for the victim's machine. It uses both command line and GUI to enter credentials or other required resources like cookies.

Related Research Articles

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Cyberwarfare is a part of Iran's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Elfin Team, Refined Kitten, Magnallium, Peach Sandstorm, and Holmium.

Helix Kitten is a hacker group identified by CrowdStrike as Iranian.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

Ghostwriter, also known as UNC1151 and Storm-0257 by Microsoft, is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.

References

↑ "Microsoft uses court order to shut down APT35 websites". CyberScoop. March 27, 2019.
↑ "Ajax Security Team lead Iran-based hacking groups". Security Affairs. May 13, 2014.
↑ "Freezer Paper around Free Meat". securelist.com. April 27, 2016.
↑ Bass, Dina. "Microsoft Takes on Another Hacking Group, This One With Links to Iran". news.bloomberglaw.com.
↑ "OVERRULED: Containing a Potentially Destructive Adversary". FireEye.
↑ "Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign". Security Affairs. July 3, 2018.
↑ Blinder, Alan; Turkewitz, Julie; Goldman, Adam (February 16, 2019). "Isolated and Adrift, an American Woman Turned Toward Iran". The New York Times. ISSN 0362-4331 . Retrieved April 23, 2022.
↑ "The HBO hack: what we know (and what we don't) - Vox". August 5, 2017.
↑ Petski, Denise (July 31, 2017). "HBO Confirms It Was Hit By Cyber Attack".
↑ "HBO Hacker Was Part of Iran's "Charming Kitten" Elite Cyber-Espionage Unit". BleepingComputer.
↑ "Iranian Hackers Target Nuclear Experts, US Officials". Dark Reading. December 15, 2018.
↑ Satter, Raphael (December 13, 2018). "AP Exclusive: Iran hackers hunt nuclear workers, US targets". AP NEWS.
↑ "Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues" (Press release). United States Department of Justice, Office of Public Affairs. February 13, 2019.
↑ "Microsoft seizes 99 domains owned by Iranian state hackers". News @ WebHosting.info. March 28, 2019.
↑ "Recent cyberattacks require us all to be vigilant". Microsoft On the Issues. October 4, 2019. Retrieved December 10, 2020.
↑ Bing, Christopher; Satter, Raphael (October 4, 2019). "Exclusive: Trump campaign targeted by Iran-linked hackers - sources". Reuters.
↑ AP. "Iran denies US election meddling, claims it has no preference". www.timesofisrael.com. Retrieved December 10, 2020.
↑ "The Kittens Are Back in Town 2" (PDF). ClearSky Cyber Security. October 2019.
↑ Bash, Ajax (August 23, 2022). "New Iranian APT data extraction tool". Threat Analysis Group (TAG).

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Microsoft uses court order to shut down APT35 websites". CyberScoop. March 27, 2019.

[2] "Ajax Security Team lead Iran-based hacking groups". Security Affairs. May 13, 2014.

[3] "Freezer Paper around Free Meat". securelist.com. April 27, 2016.

[4] Bass, Dina. "Microsoft Takes on Another Hacking Group, This One With Links to Iran". news.bloomberglaw.com.

[5] "OVERRULED: Containing a Potentially Destructive Adversary". FireEye.

[6] "Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign". Security Affairs. July 3, 2018.

[7] Blinder, Alan; Turkewitz, Julie; Goldman, Adam (February 16, 2019). "Isolated and Adrift, an American Woman Turned Toward Iran". The New York Times. ISSN 0362-4331 . Retrieved April 23, 2022.

[8] "The HBO hack: what we know (and what we don't) - Vox". August 5, 2017.

[9] Petski, Denise (July 31, 2017). "HBO Confirms It Was Hit By Cyber Attack".

[10] "HBO Hacker Was Part of Iran's "Charming Kitten" Elite Cyber-Espionage Unit". BleepingComputer.

[11] "Iranian Hackers Target Nuclear Experts, US Officials". Dark Reading. December 15, 2018.

[12] Satter, Raphael (December 13, 2018). "AP Exclusive: Iran hackers hunt nuclear workers, US targets". AP NEWS.

[13] "Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues" (Press release). United States Department of Justice, Office of Public Affairs. February 13, 2019.

[14] "Microsoft seizes 99 domains owned by Iranian state hackers". News @ WebHosting.info. March 28, 2019.

[15] "Recent cyberattacks require us all to be vigilant". Microsoft On the Issues. October 4, 2019. Retrieved December 10, 2020.

[16] Bing, Christopher; Satter, Raphael (October 4, 2019). "Exclusive: Trump campaign targeted by Iran-linked hackers - sources". Reuters.

[17] AP. "Iran denies US election meddling, claims it has no preference". www.timesofisrael.com. Retrieved December 10, 2020.

[18] "The Kittens Are Back in Town 2" (PDF). ClearSky Cyber Security. October 2019.

[19] Bash, Ajax (August 23, 2022). "New Iranian APT data extraction tool". Threat Analysis Group (TAG).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

v t e Iran–United States relations
Diplomatic posts	Embassy of Iran, Washington, D.C. Ambassadors of Iran to the United States Embassy of the United States, Tehran Ambassadors of the United States to Iran Interests Section of Iran in the United States Consulate-General of the United States, Tabriz Bureau of Near Eastern Affairs Iran–United States Claims Tribunal Iranian Directorate Iran Syria Policy and Operations Group
Diplomacy	Persian Corridor Persian Gulf Command Nationalization of the Iranian oil industry 1953 Iranian coup d'état Abadan Crisis Timeline Treaty of Amity, Economic Relations and Consular Rights Exercise Delawar Project Dark Gene Safari Club Island of Stability Mahmoud Ahmadinejad's letter to George W. Bush Correspondence between Barack Obama and Ali Khamenei Phone conversation between Barack Obama and Hassan Rouhani Joint Comprehensive Plan of Action Negotiations Joint Plan of Action Framework Reactions Criticism Aftermath U.S. withdrawal
Conflicts	Iran–Iraq War United States support for Iraq Bridgeton incident Iran Air Flight 655 Iran Ajr Iran–Contra affair Operation Staunch Operation Eager Glacier Operation Earnest Will Operation Prime Chance Operation Nimble Archer Operation Praying Mantis Syrian civil war Yemeni Civil War Arab–Israeli alliance against Iran Abraham Accords February 2019 Warsaw Conference Iran–Israel proxy conflict Iran–Saudi Arabia proxy conflict Russia–Syria–Iran–Iraq coalition International Maritime Security Construct Assassination of Qasem Soleimani reactions Thirteen revenge scenarios Donald Trump's threat for the destruction of Iranian cultural sites Operation Martyr Soleimani 2020 Camp Taji attacks
Incidents after 1979	Assassination of Paul R. Shaffer and John H. Turner Iranian Revolution Iran hostage crisis Timeline Guadeloupe Conference Operation Credible Sport Operation Eagle Claw Canadian Caper Jimmy Carter's engagement with Ruhollah Khomeini 1980 October Surprise theory Negotiations Algiers Accords America can't do a damn thing against us Beirut barracks bombings Khobar Towers bombing Lawrence Franklin espionage scandal Disappearance of Robert Levinson United States kill or capture strategy in Iraq United States raid on the Iranian Liaison Office in Erbil Kidnapping of Jalal Sharafi 2008 Naval dispute Filipino Monkey Project Cassandra Detention of American hikers United States diplomatic cables leak 2011 alleged Iran assassination plot Strait of Hormuz dispute RQ-170 incident MV Maersk Tigris 2016 Naval incident Nuclear program of Iran Timeline P5+1 Operation Merlin Charming Kitten Stuxnet Kidnapping of Hossein Alikhani Arrest of Meng Wanzhou Deportation of Iranian students at US airports May 2019 Gulf of Oman incident June 2019 Gulf of Oman incident 2019 Iranian shoot-down of American drone 2019 K-1 Air Base attack December 2019 United States airstrikes in Iraq and Syria Attack on the United States embassy in Baghdad 2020 Iran explosions 2021 Erbil rocket attacks 2021 Natanz incident February 2021 United States airstrike in Syria Leaked Mohammad Javad Zarif audiotape June 2021 United States airstrike in Syria July 2021 Gulf of Oman incident August 2021 Gulf of Oman incident 2021 U.S.–Iran naval incident 2022 Erbil missile attacks 2023 Northeastern Syria clashes Seizure of Suez Rajan and St Nikolas Attacks on U.S. bases in Iraq, Jordan, and Syria (2023–present) 2024 Erbil attack Tower 22 drone attack
Legislation	United States sanctions against Iran Maximum pressure campaign Executive Order 12170 Executive Order 12172 Executive Order 13769 reactions Trump travel ban Executive Order 13780 Executive Order 13876 Iran and Libya Sanctions Act Iran Nonproliferation Act Iran, North Korea, Syria Nonproliferation Act Iran Freedom and Support Act Iran Sanctions Enhancement Act Kyl–Lieberman Amendment Comprehensive Iran Sanctions, Accountability, and Divestment Act Iran Freedom and Counter-Proliferation Act Public Law 113-100 Iran Nuclear Agreement Review Act Countering America's Adversaries Through Sanctions Act Dames & Moore v. Regan United States Diplomatic and Consular Staff in Tehran Oil Platforms case United States v. Banki Bank Markazi v. Peterson Certain Iranian Assets Rubin v. Islamic Republic of Iran Alleged violations of Treaty of Amity
Groups and individuals	Iran Action Group Iran–America Society Iranian Students Association in the United States National Iranian American Council Organization of Iranian American Communities Public Affairs Alliance of Iranian Americans United Against Nuclear Iran Farashgard Islamic Revolutionary Guard Corps Jundallah Kingdom Assembly of Iran National Council of Iran National Council of Resistance of Iran People's Mojahedin Organization of Iran Elliott Abrams Howard Baskerville William J. Fallon Brian Hook Joseph Macmanus Robert Malley Stephen D. Mull Jon Pattis Erwin David Rabhan Jason Rezaian Scott Ritter Craig Wadsworth Michael R. White Roxana Saberi Saeed Abedini Saeid Aboutaleb Shahram Amiri Sirous Asgari Mahmoud Reza Banki Haleh Esfandiari Amir Mirza Hekmati Ezedin Abdel Aziz Khalil Shahrzad Mirgholikhan Mohammad Hosseini Esha Momeni Mohammad Mosaddegh Baquer Namazi Siamak Namazi Sahar Nowrouzzadeh Reza Pahlavi, Crown Prince of Iran Noor Pahlavi Trita Parsi Maryam Rajavi Abdolreza Shahlaei Ali Shakeri Masoud Soleimani Morad Tahbaz Kian Tajbakhsh Karan Vafadari Xiyue Wang Nizar Zakka Iranian Guantanamo Bay detainees Abdul Majid Muhammed
Related	1998 FIFA World Cup match Academic relations between Iran and the United States American Islam Anti-American sentiment in Iran Axis of evil CIA activities in Iran Copyright relations Death to America Dual containment Great Satan International Conference on Hollywoodism Iran and state-sponsored terrorism Iranian frozen assets Opposition to military action against Iran State Sponsor of Terrorism United States involvement in regime change United States and state-sponsored terrorism 650 Fifth Avenue Alavi Foundation Alborz High School American Institute of Iranian Studies American School of Isfahan Community School, Tehran Damavand College Iran Bethel School Iranzamin School Saint Peter Church, Tehran Tehran American School "Bomb Iran" Overthrow Not for the Faint of Heart
Category