Proofpoint's cybersecurity experts have released an investigation into the Iran-directed hacking group TA453, also known as Charming Kitten, PHOSPHORUS and APT42.
The group has recently started targeting people specializing in Middle East-related issues, nuclear safety and genetic research. Each of their most recently observed email attacks used multiple fake identities. To do this, TA453 used the identities of real people working in Western foreign policy research institutions. The attacks also use new social engineering tactics to harvest intelligence on behalf of Iran's Islamic Revolutionary Guard Corps.
Main findings of the investigation
TA453's campaigns have seen the group use multiple identities in their spear phishing attacks to exploit the psychological principle of social proof. This should in particular increase the supposed authenticity of the correspondence.
The identities compromised by TA453 include real people working at the PEW Research Center, the Foreign Policy Research Institute (FRPI), the UK's Chatham House and the scientific journal Nature. This tactic was used to attack people with information regarding the State of Israel, the Gulf States, the Abraham Accords Declaration, and nuclear weapons control in connection with a possible conflict between the US and Russia. Proofpoint's security experts believe TA453 is operating in support of the Islamic Revolutionary Guard Corps (IRGC) cyber espionage campaigns aimed at stealing sensitive data and information.
Comment from Proofpoint
“Government-sponsored hacking groups are among the best at creating well-crafted social engineering campaigns to lure victims into traps. In this case, our specialists found that the Iran-affiliated group TA453 has expanded its activities by using multiple fake identities at once - the group uses social proof to convince the target of the authenticity of the request. This is an intriguing technique as it requires greater resources per target - potentially 'burning' multiple identities - and a coordinated approach between the different identities deployed by TA453.”
“Researchers working in the field of international relations, particularly those specializing in Middle East or nuclear safety studies, should exercise an increased level of vigilance when they receive unsolicited email. For example, professionals contacted by journalists should check the publication's website to determine if the email address belongs to an actual reporter,” said Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint.
More at ProofPoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.