Hacking group "Charming Kitten" targets nuclear experts and Treasury officials

As  President Trump restored harsh economic sanctions on Iran last month, hackers scrambled to break into the personal emails of U.S. officials tasked with enforcing those sanctions.

Also on the hackers' hit list were high-profile defenders, detractors and enforcers of the 2015 Iran nuclear deal, as well as Arab atomic scientists, Iranian civil society figures and D.C. think tank employees, The Associated Press found. 

The AP drew on data gathered by Certfa, a cybersecurity group, to track how a hacking group often nicknamed Charming Kitten spent the past month trying to break into the private emails of more than a dozen U.S. Treasury officials.   

"Presumably, some of this is about figuring out what is going on with sanctions," said Frederick Kagan, a scholar at the American Enterprise Institute who was among those targeted.

He said he was alarmed by the targeting of foreign nuclear experts. "This is a little more worrisome than I would have expected," he said.

The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to the AP for further analysis. 

Although those addresses likely represent only a fraction of the hackers' overall effort, they still provide considerable insight into Tehran's espionage priorities. "The targets are very specific," Certfa researcher Nariman Gharib said.

In a report published Thursday, Certfa tied the hackers to the Iranian government. The assessment was backed by others who have tracked Charming Kitten. 

Kagan said most signs pointed to a serious, state-backed operation. "It doesn't look like freelancers," he said.

Calls to Iranian officials were not returned late Wednesday, the beginning of the weekend in the country.

Could Iran launch a cyberattack in response to Trump's Twitter threats?

Iran has previously denied responsibility for hacking operations, but an AP analysis of its targets suggests that Charming Kitten is working in close alignment with the Islamic Republic's interests. The most striking targets were the nuclear officials -- a scientist working on a civilian nuclear project for the Pakistan's Ministry of Defense, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha, and a high-ranking researcher at the Atomic Energy Commission of Syria.

The trio suggested an interest in nuclear technology and administration. Others on the hit list pointed to an eagerness to keep track of officials charged with overseeing America's nuclear arsenal.

"This is something I've been worried about," said Guy Roberts, the U.S. Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs, when alerted to his presence on the list.

Still more targets are connected to the 2015 Iran deal, which called for Tehran to curb its uranium enrichment in exchange for the lifting of international sanctions. 

The list indicates that Iranian spies were also interested in the world of U.S. defense companies.

There were Iranian targets, too, including media workers, an agronomist and a senior employee of the country's Department of Environment -- a possible sign that Tehran's crackdown on environmentalists, which began earlier this year, continues apace.

The Charming Kitten campaign uncovered by Certfa generally relied on a password-stealing technique called phishing. Two Nov. 17 emails provided to the AP by Jim Sisco of Enodo Global Inc., a Virginia-based risk advisory firm that was targeted by Charming Kitten, mimic the look and feel of Gmail security alerts, a technique used by hackers across the globe.

fake-alert-iran-certfa.png
 An example of a planted image of a fake suspicious activity alarm in a phishing email sent by purported "Charming Kitten" Iranian hackers, as discovered by the London-based cybersecurity firm Certfa. Certfa

An analysis of Certfa's data shows the group targeted at least 13 U.S. Treasury employees' personal emails, including one belonging to a director at the Financial Crimes Enforcement Network, which fights money laundering and terror financing, and one used by the Iran licensing chief at the Office of Foreign Asset Control, which is in charge of enforcing U.S. sanctions. 

But a few employees' LinkedIn profiles referenced back office jobs or routine tax work. That suggested "a fairly scattershot attempt," said Clay Stevenson, a former Treasury official who now consults on sanctions and was himself targeted by Charming Kitten.

Others' experience suggested a more professional effort.

Georgetown University professor and South Asia security expert Christine Fair said she had only recently returned from a conference in Afghanistan attended by Iranian officials and a visit to the Iranian border when she learned she was in the hackers' sights.

"The timing is uncanny," she said.