Charming Kitten

Charming Kitten (other aliases include APT35 (by Mandiant), Phosphorus (by Microsoft),[1] Ajax Security (by FireEye),[2] NewsBeef (by Kaspersky,[3]))[4] is a cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Charming Kitten
Модный мишка
Formationc. 2004–2007
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Region
Middle East
MethodsZero-days, spearphishing, malware, Social Engineering, Watering Hole
Membership
At least 5
Official language
Persian
Parent organization
IRGC
AffiliationsRocket Kitten
Formerly called
APT35
Turk Black Hat
Ajax Security Team
Phosphorus

On December 15, 2017 the group was designated by FireEye as a nation state based advanced persistent threat, regardless of the lack of its sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware, and solidifying their campaigns.[5]

The group has since been known to use phishing to impersonate company websites,[6] as well as fake accounts and fake DNS domains to phish users' passwords.

History

Witt Defection (Early 2013)

In 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica Witt defected to Iran knowing she might incur criminal charges by the United Stages for doing so. Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.

HBO cyberattack (2017)

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched on the grounds that confidential information was being leaked. A conditional statement by a hacker going by alias Skote Vahshat said that if money was not paid, scripts of television episodes, including episodes of Game of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.[7] HBO has since stated that it would take steps to make sure that they would not be breached again.[8]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information. [9]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The Iranian government denied any involvement.[10][11]

Second Indictment (2019)

Witt was officially charged by a Washington, D.C. based jury on February 19, 2019.[12] Four others including the HBO hacker were also charged.

A court order was issued authorizing Microsoft to take ownership of 99 DNS domains that were registered by the group. Microsoft has subsequently said that it plans to work to reduce the cyberattack rate significantly.[13]

2020 Election interference attempts (2019)

gollark: TOML is, in my opinion, nicer for configs. It's basically standardized INI.
gollark: Also, possibly partly due to point 3, many (dynamic) languages actually implement YAML parsing in a way which allows arbitrary code execution by default. I think Python's yaml library does it unsafely by default (EDIT: see here: https://www.arp242.net/yaml-config.html though PyYaml at least appears to be changing this now).
gollark: It's not simple. The standard is extremely complex and there are something like nine ways to do multiline strings.
gollark: You might need to enable WAL mode.
gollark: It can do simultaneous reads fine as far as I know.

See also

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.