An advisory issued by Volexity revealed that state-sponsored cyber operations are increasingly targeting policy experts, particularly those with expertise in the Middle East. The Iran-linked group known as Charming Kitten, CharmingCypress, and APT42 has been identified as the perpetrator behind a recent wave of attacks on policy experts in the Middle East, the US, and Europe. The group has been known to use deceptive tactics, such as posing as a legitimate webinar platform to compromise its targets.
According to Volexity’s co-founder and president, Steven Adair, Charming Kitten is known for its sophisticated social engineering tactics and extensive efforts to gather political intelligence from think tanks and journalists. The group’s approach involves luring its targets into installing Trojan-rigged VPN applications which then lead to the installation of malware. Adair emphasized that the level of effort and dedication exhibited by Charming Kitten is uncommon and goes beyond the average cyber attack.
Policy experts have long been a prime target for nation-state cyber attacks. The Russia-linked ColdRiver group has used social engineering tactics to target military officers, non-governmental organizations, and other experts. Similarly, in Jordan, targeted exploitation reportedly carried out by government agencies utilized the Pegasus spyware program to target journalists, digital-rights lawyers, and other policy experts.
Microsoft also issued a warning in January about Charming Kitten/CharmingCypress, which it refers to as Mint Sandstorm, targeting journalists, researchers, professors, and other experts. The group’s social engineering tactics are described as patient and highly skilled, making it difficult for users to quickly identify phishing emails.
CharmingCypress, which has been active since at least 2013, is known to have strong links to the Islamic Revolutionary Guard Corps (IRGC). Moreover, cybersecurity firm CrowdStrike stated that the group has not been directly involved in the cyber operational aspect of the conflict between Israel and Hamas, although it remains highly committed to conducting surveillance on its targets and deploying malware.
Volexity’s advisory detailed CharmingCypress’s use of typo-squatted domains to pose as officials from the International Institute of Iranian Studies (IIIS) in order to invite policy experts to a webinar. The group’s attacks have targeted policy experts globally, with a majority of the attacks directed at European and US professionals.
The approach of CharmingCypress relies on building rapport with its targets over time, ultimately leading to the installation of malware. Volexity identified five different malware families associated with the threat, highlighting the group’s persistence and dedication to ongoing surveillance of its targets.
As a result of the constant barrage of attacks from groups like CharmingCypress, policy experts are urged to exercise caution when interacting with unknown contacts. Volexity emphasized the need for strict scrutiny of links, files, and requests for credentials when engaging with unfamiliar sources. Despite potential failures, the group is highly committed to targeting policy experts and deploying malware.
In light of these developments, the defense against cyber threats targeting policy experts becomes increasingly challenging. Experts are advised to maintain a high level of suspicion toward unsolicited communications and to exercise caution when opening documents or entering credentials into unfamiliar sites. Additionally, a heightened awareness of the persistence and dedication of threat actors like CharmingCypress is crucial in mitigating the risks associated with state-sponsored cyber operations.