Group rumored to be behind campaign hack also going after cybersecurity researchers

Written by

An Iran-linked hacking group that targeted a U.S. presidential campaign has also been trying to breach cybersecurity analysts who have exposed the hackers’ operations, new research shows.

The hackers recently sent researchers at Israeli company ClearSky Cyber Security malware-laced emails purporting to be from an antivirus company, according to Ohad Zaidenberg, the company’s senior cyber intelligence researcher.  The hacking group, which analysts say works in support of Iranian interests, also set up a phishing website mimicking that of ClearSky and a web-mail page “built to attack our clients,” Zaidenberg told CyberScoop.

While ClearSky did not elaborate on the attempted breaches of the company, the episode highlights the lengths to which the group might go to try to infiltrate the cybersecurity specialists who track them. And it is just the latest activity in what has been a busy few months for the Iranian computer operatives, known to researchers as Charming Kitten, APT35, or Phosphorus.

Last week, Microsoft said the hackers had tried to break into email accounts associated with an unnamed U.S. presidential campaign, along with current and former U.S. government officials, journalists, and certain Iranians living abroad. While Microsoft’s report covered a lot of activity (the company said the hackers had targeted 241 email accounts) it also encouraged outside analysts to come forward with their own Charming Kitten data.

ClearSky researchers say in the last week they’ve found additional phishing sites that try to trick Facebook and Twitter users into handing over their passwords. The sites are made using WordPress or CrunchPress, a related website tool, and have directories that store logos used to impersonate the target organization. In addition to the targets named by Microsoft, Charming Kitten has also been targeting academic researchers who focus on Iran along with activists opposed to the Iranian regime, according to ClearSky.

For some analysts, the latest Charming Kitten activity is a reminder of the group’s persistence and maturation.

John Hultquist, director of intelligence analysis at cybersecurity company FireEye, said the Iranian hacking group had “come a long way” in honing their tradecraft in the five years his company has been tracking the hackers. A group that once had “rudimentary” techniques has been “using a lot of off-the-shelf tools and frameworks to improve their capability,” Hultquist told CyberScoop.