The attack was carried out by Iran-backed charming kitten hackers and victims include dozens of US government officials.
Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers. As per the data obtained by Certfa, a cybersecurity firm based in London, the hacking group Charming Kitten is responsible for the break-in, which took place in November 2018 perhaps, in response to the re-imposing of strict economic sanctions on Iran by the US president Donald Trump.
Reportedly, Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society.
See: Gmail “From field” bug makes phishing attacks easier for hackers
Interestingly, the hackers made the mistake of leaving one of their servers open to the internet and this is how their hit list was identified by Certfa. According to Certfa’s report, the phishing campaign is a large-scale one as it involves breaching of emails of eminent US government officials, journalists, and activists, etc.
The campaign is particularly noteworthy because of the use of a novel technique that helped the hackers bypass the 2FA authentication protections that Gmail and Yahoo Mail and similar other services offer. Hence, the incident highlights the risks associated with the reliance on one-time passwords or one-tap logins that 2FA supports specifically if the password is sent via SMS message on the mobile phone.
To launch the attack, hackers obtained detailed information about their targets and wrote spear-phishing emails designed precisely to meet the operational security level of their targets. A hidden image was part of every email, the purpose of which was to alert the hackers when the target viewed the email.
As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.
Certfa researchers discovered a list of 77 Yahoo and Gmail addresses on the exposed server. However, this is merely a fraction of the total targets of Charming Kitten but it still remains unclear if the hacker group breached the email accounts of all their targets successfully.
See: Hacking tools & ready-made phishing pages being sold on dark web for $2
One of the targets of Charming Kitten includes the American Enterprise Institute scholar Frederick Kagan, who told Associated Press in response to the attack that:
“Presumably some of this is about figuring out what is going on with sanctions. This is a little more worrisome than I would have expected.”
The attack also reinforces the fact that cyberespionage is very deeply embedded into the US-Iran relationship.