But the five-page analysis that landed in my inbox wasn’t really from an Israeli think tank. It had been sent by Iranian hackers, part of a complex phishing attack targeting my work email account.
It was just the latest in a series of cyberattacks apparently staged by the same group — and it should set off alarm bells among U.S. organizations and individuals. It is critical that we understand the cyberthreat and take the necessary precautions.
Given my professional focus on Iran issues at the Atlantic Council, I am a prime target for cyberattacks. My email potentially offers hackers access not only to sensitive information and conversations, but also to contacts to high-profile individuals with whom my organization regularly works.
In this instance, the hackers were relentless and sophisticated. They first impersonated a senior Israeli researcher with whom I had met and corresponded with in the past. In the fabricated correspondence, they provided a link for me to add my insights on the paper. When I didn’t respond, the hackers sent a second message impersonating the think tank’s external relations liaison (someone I also knew). That message even included a note in Hebrew from the “researcher” asking the contact to follow-up with me. Still not receiving the desired response, they sent an additional message from the “researcher,” this time including a conversation from the president of a prominent Washington think tank offering his critiques of the paper — all to gain my trust.
The correspondence was credible enough that I logged in to view the research paper. Finding it to be far below the high standards of the think tank — and confused why they would turn to an Iran analyst for insights on China — I responded, emphasizing the subject matter was not my area of expertise. An off-key follow-up from the hackers tipped me off that something was wrong. Luckily, two-step authentication saved me, and no information was compromised. The hackers had used fake Gmail accounts.
According to ClearSky, an Israeli cybersecurity firm, this phishing attack not only was Iran-linked, it bore the hallmarks of Charming Kitten, a notorious Iranian cyber-espionage group. The group has been active since 2014, a key period when political momentum was building for the 2015 landmark Iran nuclear deal.
Charming Kitten worked under the radar until they were caught using phishing scams again in 2018, the year President Trump withdrew from the Iran nuclear agreement. ClearSky believes the hacking group became increasingly active last year, targeting academic institutions, human rights organizations, and the media.
During the 2018 attack — which came just as Trump reimposed a second round of punitive sanctions against Iran — Charming Kitten targeted more than a dozen U.S. Treasury officials. Other targets included Iranian civil society activists, think tank employees in Washington, and proponents of the nuclear deal as well as Iran hawks. Between August and September of last year, Charming Kitten unsuccessfully attacked Trump’s 2020 reelection campaign.
Then, in November, the group impersonated New York Times journalist Farnaz Fassihi (but in her previous role as a Wall Street Journal reporter) to compromise academics and researchers working on Iran. ClearSky found that the hackers also assumed the guise of journalists at other outlets, including CNN and Germany’s Deutsche Welle.
In February, the group used the identities of State Department officials to phish Baha’i researchers.
Charming Kitten’s latest attacks seem to share a common theme: the coronavirus. Iran has the highest number of coronavirus cases and deaths in the Middle East, which may explain why the group attacked covid-19 drugmaker Gilead and even the World Health Organization by impersonating journalists. It seems the hackers were trying to gather information that could help combat the coronavirus.
While experts describe Charming Kitten as a low-level group in the hierarchy of Iranian cyber espionage, the recent volume of attacks — those we know of — is troubling. Though Iran has not stated its intentions, and denies engaging in what it calls “cyber warfare,” this latest activity appears to focus on individuals in the Washington think tank community who follow Iran issues closely. People like me are involved in the public debate about the current and future of U.S. policy on Iran, so groups such as Charming Kitten could be seeking insights through these phishing attacks, often using the urgency of the coronavirus issue as bait for unsuspecting victims.
My experience shows that there is a genuine cyber threat to U.S. institutions. Even amid the covid-19 pandemic, Iran is planning for the future. Allied defenses must be equal to the task.