Iranian government hackers have impersonated journalists to reach out to targets via LinkedIn, and set up WhatsApp calls to win their trust, before sharing links to phishing pages and malware-infected files.
The attacks have happened in July and August this year, according to Israeli cyber-security firm ClearSky, who published a report today detailing this particular campaign.
The hackers are believed to be members of Iranian super group CharmingKitten, also known as APT35, NewsBeef, Newscaster, or Ajax, according to Ohad Zaidenberg, ClearSky Lead Cyber Intelligence Researcher.
Zaidenberg says the recent campaign targeted academia experts, human rights activists, and journalists specialized in Iranian affairs.
The ClearSky researcher said hackers contacted victims first via LinkedIn messages, where they posed as Persian-speaking journalists working for German broadcasting company Deutsche Welle and Israeli magazine Jewish Journal.
After making contact, the attackers would attempt to set up a WhatsApp call with the target and discuss Iranian affairs in order to gain the target’s trust.
Following this initial call, victims would eventually receive a link to a compromised Deutsche Welle domain that either hosted a phishing page or a ZIP file containing malware capable of dumping and stealing their credentials.
Iranian hackers impersonated journalists before
Zaidenberg said the group’s recent operation is an escalation of other attacks carried out in late 2019 and early 2020, when the same group also posed as journalists, this time working for the Wall Street Journal, to reach out to targets.
However, in previous attacks, CharmingKitten only used emails and SMS to reach out to victims, but never called their targets.
“This TTP [technique, tactic, procedure] is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example),” Zaidenberg wrote in the ClearSky report published today.
“However, if the attackers have successfully passedthe phone callobstacle, they can gain more trust from the victim, compared to an email message.”
Zaidenberg also points out that the tactics CharmingKitten used were nowhere near original. North Korean hackers have been using this particular tactic for years, such as organizing fake job interviews on Skype to breach Chile’s ATM network, or setting up fake interviews via phone or WhatsApp calls with employees working at various defense contractors.