In 2019 ClearSky Cyber Security observed a sharp increase in Charming Kitten attacks, after an absence of a few months and after 2019 Microsoft official complaint against the group for “establishing an internet-based cybertheft operation referred to as ‘Phosphorus’“.
Read the full report: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers
It appears that the group has initiated a new cyber espionage campaign comprised of two stages, pointing at two different targets:
- Non-Iranian Researchers from the US, Middle East, and France, focusing on academic research of Iran.
- Iranian dissidents in the US.
Despite the considerable unrest in the Iranian cybersphere, it appears that similarly to the MuddyWater APT, Charming Kitten was unaffected[1].
In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers state organizations. Additionally, in August 2019, we found that the group had begun adding a tracker to their email correspondences, enabling them to follow an email message forwarded to additional accounts and obtain geolocation information.
Indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP events 1682 and 1438.
[1] https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf