German agency warns of Charming Kitten APT group targeting organizations in recent  espionage activities

The Bundesamt für Verfassungsschutz (BfV), one of three intelligence services of the German Federation, released last week an advisory on cyber espionage against critics of the Iranian regime in the country. Based on its current intelligence, BfV assumes that the attacker APT (advanced persistent threat) group Charming Kitten is concretely involved in espionage activities against Iranian individuals and organizations in Germany. To this end, the hacker group uses elaborate social engineering and online identities that are tailor-made to target victims. 

“The cyber group Charming Kitten uses spear-phishing methods to obtain confidential data of its victims,” the BfV wrote in its cyber brief. “The objective is to gain access to online services such as email accounts, cloud storage services, or messenger services used by the potential victim. In a first step, the attacker gathers intelligence on the target’s preferences and interests, including in the political field. Openly accessible publications on the internet or on social media platforms offer an easy way to obtain personal information.”

Taking this forward, in a second step, personal contact is established; the attacker attempts to manipulate the victim through social engineering and makes false promises to induce in-cautious behavior, the brief added. “When a connection has been made and a conversation started, the attacker then sends an invitation to an online video chat. In order to access the video chat, the victim must click on the link supplied. On the log-on screen, the victims enter their log-in data, enabling the attacker access to the online services they use.”

“Through the previous social engineering, the attacker group Charming Kitten can establish a seemingly harmless contact in a targeted manner by referring to issues or individuals which are known to the victim or appear legitimate,” the brief added. “Charming Kitten’s toolkit also comprises email spoofing: Victims are made to believe that they use communicating with real individuals, some of them publicly known, such as journalists or employees of NGOs.”

In April, researchers from Bitdefender Labs identified the modernization of Charming Kitten’s tactics, techniques, and procedures (TTPs), including a new, previously unseen malware called BellaCiao. The malware has been tailored to suit individual targets and exhibits a higher complexity level, evidenced by its unique communication approach with its command-and-control (C2) infrastructure. At the time, the team identified multiple victims in the U.S. and Europe, but also in the Middle East (Turkey) and India.

The BfV detailed that Charming Kitten initiates contact with potential victims. “At first, targeted messages of non-malicious and relevant content are sent in order to build trust and enhance the attack’s prospects of success.”

“In a second step, Charming Kitten sends an invitation to an online video chat. The link leads to a seemingly legitimate website of an online service provider such as Google or Microsoft,” the brief added. “The attacker uses the possibilities these providers offer to create user-generated content. Therefore, the link redirects to a legitimate page of the selected provider. Websites such as sites.google.com, drive.google.com, or onedrive.live.com contain no official content of the provider.”

Furthermore, the BfV added that “After clicking on the link, the victim is asked to log in. Thereby, it is redirected unnoticed to the attacker’s malicious website. The login data is entered on this phishing website. In some cases, the victims are asked to use two-factor authentication. The code, however, is supplied by the real provider.”

It then identified that if an online video chat occurs, it serves to conceal the attack. “After logging in to the victim’s user account from a C2 server, the attacker is able to download the entire user data, e.g. by means of Google Takeout.”

Regarding protection against spear phishing, the BfV brief recommends regarding unfamiliar contacts and unusual requests by established contacts with a ‘healthy dose of scepticism.’ In case of unknown contacts or approaches, it suggests verifying the contact’s identity. It also alerts on checking email addresses for conspicuous details. Be wary if established contacts want to communicate via a new email address or if official letters of an organization are sent from a non-official email provider address, such as gmail.com or outlook.com.

The agency also recommends not opening any links “of which you are unsure of. Watch out for links with user-generated content, such as sites.google.com. If you are unsure whether you have opened a malicious link, you should check your browser history using the attached indicators of compromise,” the brief added.

Addressing the protection of online services, the BfV brief recommends using only official log-in pages to access online services. “Familiarise yourself with the official log-in pages of the online services you use. Check the address bar and the website certificate; in case of inconsistencies, do not enter your access data. Set up multi-factor authentication for all online services.” 

It added that “for the online services you use on a regular basis, check whether unknown devices have been connected and/or whether unauthorised access has occurred. If your online services send you security alerts, please take them seriously and follow them up. In case of doubt, be quick to change your passwords. Use different accounts for different purposes; for instance, keep private matters separate from sensitive ones.”

In January, the U.K.’s National Cyber Security Centre (NCSC) disclosed that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information gathering activity. The SEABORGIUM group uses various identities including Callisto Group, TA446, COLDRIVER, and TAG-53, while the TA453 group also goes by APT42, Charming Kitten, Yellow Garuda, and ITG18.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.