How Iranian hackers tried to
phish me
(iStock)
By Holly Dagres
May 20, 2020 at 8:59 p.m. GMT+2
Holly Dagres is a fellow in the
Atlantic Council’s Middle East Programs and the editor of its IranSource and
MENASource blogs.
The email from a prominent
Israeli think tank offered some provocative suggestions on U.S. policy towards
China. "We must understand that China is at war with the United States,”
it declared, citing the covid-19 pandemic as evidence. Its authors
recommended that the Trump administration set up a team of “top China experts”
such as Stephen K. Bannon and former House speaker Newt Gingrich to confront
“Red China” in the wake of the coronavirus crisis.
But the five-page analysis that
landed in my inbox wasn’t really from an Israeli think tank. It had been sent
by Iranian hackers, part of a complex phishing attack targeting my work email
account.
It was just the latest in a
series of cyberattacks apparently staged by the same group — and it should set
off alarm bells among U.S. organizations and individuals. It is critical that
we understand the cyberthreat and take the necessary precautions.
Given my
professional focus on Iran issues at the Atlantic Council, I am
a prime target for cyberattacks. My email potentially offers hackers access not
only to sensitive information and conversations, but also to contacts to
high-profile individuals with whom my organization regularly works.
In this instance, the hackers
were relentless and sophisticated. They first impersonated a senior Israeli
researcher with whom I had met and corresponded with in the past. In the
fabricated correspondence, they provided a link for me to add my insights on
the paper. When I didn’t respond, the hackers sent a second message
impersonating the think tank’s external relations liaison (someone I also
knew). That message even included a note in Hebrew from the “researcher” asking
the contact to follow-up with me. Still not receiving the desired response,
they sent an additional message from the “researcher,” this time including a
conversation from the president of a prominent Washington think tank offering
his critiques of the paper — all to gain my trust.
The correspondence was credible
enough that I logged in to view the research paper. Finding it to be far below
the high standards of the think tank — and confused why they would turn to an
Iran analyst for insights on China — I responded, emphasizing the subject
matter was not my area of expertise. An off-key follow-up from the hackers
tipped me off that something was wrong. Luckily, two-step authentication saved
me, and no information was compromised. The hackers had used fake Gmail
accounts.
According to ClearSky, an
Israeli cybersecurity firm, this phishing attack not only was Iran-linked, it
bore the hallmarks of Charming Kitten, a notorious Iranian cyber-espionage
group. The group has been active since 2014, a key period when political
momentum was building for the 2015 landmark Iran nuclear deal.
Charming Kitten worked under
the radar until they were caught using phishing scams again in 2018, the year
President Trump withdrew from the Iran nuclear agreement. ClearSky
believes the hacking group became increasingly active last year, targeting
academic institutions, human rights organizations, and the media.
During the 2018 attack — which
came just as Trump reimposed a second round of punitive sanctions against Iran
— Charming Kitten targeted more than a dozen U.S. Treasury officials.
Other targets included Iranian civil society activists, think tank employees in
Washington, and proponents of the nuclear deal as well as Iran hawks. Between
August and September of last year, Charming Kitten unsuccessfully attacked Trump’s
2020 reelection campaign.
Then, in November, the
group impersonated New York Times journalist Farnaz Fassihi (but in
her previous role as a Wall Street Journal reporter)
to compromise academics and researchers working on Iran. ClearSky
found that the hackers also assumed the guise of journalists at other outlets,
including CNN and Germany’s Deutsche Welle.
In February, the group used the
identities of State Department officials to phish Baha’i researchers.
Charming Kitten’s latest
attacks seem to share a common theme: the coronavirus. Iran has the highest
number of coronavirus cases and deaths in the Middle East, which may explain
why the group attacked covid-19 drugmaker Gilead and even the World
Health Organization by impersonating journalists. It seems the hackers were
trying to gather information that could help combat the coronavirus.
While experts describe Charming
Kitten as a low-level group in the hierarchy of Iranian cyber espionage, the
recent volume of attacks — those we know of — is troubling. Though Iran has not
stated its intentions, and denies engaging in what it calls “cyber
warfare,” this latest activity appears to focus on individuals in the
Washington think tank community who follow Iran issues closely. People like me
are involved in the public debate about the current and future of U.S. policy
on Iran, so groups such as Charming Kitten could be seeking insights through
these phishing attacks, often using the urgency of the coronavirus issue as
bait for unsuspecting victims.
My experience shows that there
is a genuine cyber threat to U.S. institutions. Even amid the covid-19
pandemic, Iran is planning for the future. Allied defenses must be equal to the
task.
#پیش بسوی قیام سراسری #ما بر اندازیم# کانونهای شورشی #Iran
#سال_سرنگونی #ایران #کروناویروس #قیام_تا_پیروزی #coronavirus
#شورش زندانیان #تيك_تاك_سرنگوني #COVID2019 # اتحادوهمبستگی
# مرگ_بر_دیکتاتور #مجاهدین_خلق ایران #IranRegimeChange
ما را در توئیتر با حساب توئیتری 7 @Bahar iran دنبال کنید
