CHARMING KITTEN blamed for BadBlood phishing campaign

Charming kitten bad blood microsoft

Hackers linked to Iran have targeted 25 senior professionals at various medical research organizations located in the US and Israel as part of phishing campaign

CHARMING KITTEN know as also APT35 and AJACX SECURITY TEAM and PHOSPHOROUS are a group that target personal accounts of important people using open source information to spear phish the target in question. The information to deceive targets includes names and companies that the target know and the hackers also use false social media accounts and social engineering to make victims click on attachments. We have written about CHARMING KITTEN before and you can view that article here.

CHARMING KITTEN at it again?

The group has started to make a stir again recently when a security company called proofpoint attributes the attack on US and Israeli medical research personnel to CHARMING KITTEN or a potential associated group they are calling TA453. This activity is being called operation Badblood from proofpoint because of the medical focus of the attack.

New campaign and old techniques

The activity is new but the tactics are not. from the words of proofpoint, TA453 use a complex credential phishing campaign to target malicious emails at US and Israeli medical and engineering professionals to attempt to get them to click on a malicious link that the TA453 group controlled which leads to a site that spoofs Microsoft’s onedrive service. When a user attempts to sign in, the spoofed site is actually capturing and recording the username and password of the user therefore gaining access to the Microsoft account. This is almost identical to many spear phishing campaigns Microsoft reported that was believed to be TA453 in the past.

Possible link between CHARMING KITTEN and IRGC

Iranian hacking community is well known for there resourcefulness and strong abilities in cyberspace but the complexity of this particular hack does make us wonder here at ICNA if there could be possible link to IRGC operations. We know CHARMING KITTEN has in the past targeted dissidents, academics, diplomats and journalists which are also all common target of the IRGC. While this attack may seem at first like a shift in the groups targeting, this may be part of a short-term specific intelligence collection requirement for the IRGC.

It can be seen that overall there is an increased trend of medical research being targeted in cyber space as many nations are struggling with the implications of the deadly coronavirus which could be what is pushing this change in target if this is the work of the IRGC. The group may also be after for example specific patient information or to gather more accounts for further phishing campaigns.

Big payoffs risk big consequenses

It is worth noting that proofpoint along with a company called VirusTotal telemetry succeeded to mapping and identifying the infrastructure and domains used by the group by comparing the infrastructure components, campaign timing and similarity to the composition of other lure-document from past attacks to state with confidence that they know the group who did this attack.

In 2019 US department of Justice indicted four Iranian individuals thought to be associated with CHARMING KITTEN for using social media and credential phishing emails to conduct malicious computer intrusions on behalf of IRGC. For this reason it is a good and healthy reminder to all hackers that there can be serious consequences for the work they do, and they must not become complacent in protecting their anonymity.


Leave a Reply

Your email address will not be published. Required fields are marked *