An Iranian cyber espionage group known as the Charming Kitten (APT35 or Phosphorus) took advantage of the recent winter break to attack targets around the world using a highly sophisticated spear-phishing campaign that not only involved attacks by e-mail, but also SMS messages.
“Charming Kitten took full advantage of this timing to execute its new campaign with maximum effect,” said CERTFA, a cybersecurity organization specializing in monitoring Iranian operations.
“The group launched the new round of attacks at a time when most businesses, offices, organizations, etc. were either closed or half-closed during the Christmas holidays and, as a result, their technical support and IT departments were unable to immediately investigate, identify and neutralize these cyber incidents, ”he added.
CERTFA said it detected attacks targeting members of think tanks, policy research centers, university professors, journalists and environmental activists.
The victims were in countries in the Persian Gulf, Europe and the United States.
How an attack unfolded
CERTFA researchers said this particular campaign presented a high degree of complexity. Victims received spear-phishing messages from attackers not only by email, but also by SMS, a channel few threat actors use regularly.
While the SMS messages masqueraded as security alerts from Google, the emails exploited previously hacked accounts and attempted to play on the festive mood with holiday-related lures.
The common thread between the two campaigns was that the operators of Charming Kitten managed to hide their attacks behind a legitimate Google URL of https://www.google[.]com / url? q = https: //script.google.com/xxxx, which would have fooled even the most tech-savvy recipients.
But behind the hood, CERTFA said Google’s legitimate URL would end up bouncing the user on different websites and eventually taking them to a phishing page, where they would be asked for login credentials for services. personal mailboxes such as Gmail, Yahoo and Outlook. , but also professional emails.
The CERTFA team noted that this is not the first time that Charming Kitten has successfully hidden links to spear phishing websites behind Google URLs.
The company references a previous report from January 2020, exposing a Charming Kitten operation that abused sites.google.com connections.