Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Security company Proofpoint has associated the Advanced Persistent Threat (APT) group called Charming Kitten with a spear-phishing campaign carried out at the end of 2020 aimed towards senior pros at medical research institutions in the United States and Israel.

Charming Kitting, also known as Ajax, Phosphorus, and TA453, is an APT group having connections with the Islamic Revolutionary Guard Corps (IRCG) in Iran. Since 2014, Charming Kitting has been busy in espionage campaigns using spear-phishing attacks and custom-made malware. The attacks earlier connected to the APT group were on dissidents, journalists, and academics, and so the most current spear phishing campaign on medical research institutions is a deviation from the typical targets of the group.

The phishing campaign, called BadBlood, tried to steal Microsoft Office account credentials and coincided with increasing tensions among Iran, Israel and the United States. It is not clear at this time if the targeting of senior pros in medical research organizations is part of a larger strategy or was just an outlier incident. The researchers believe the second is the case and the groups were trying to acquire particular forms of intelligence.

The campaign was discovered in December 2020, about one month following the U.S Department of Justice took over 27 website domains managed by IRCG that it is using for covert campaigns that tried to affect events in the U.S. and other nations around the world.

The spear-phishing campaign sent emails using a Gmail account that impersonated Daniel Zajfman, a well-known Israeli physicist. The email’s subject line was “Nuclear weapons at a glance: Israel”. The group used social engineering methods to persuade the recipients to click on a link to visit a Charming Kitten website that spoofed Microsoft OneDrive. A graphic of a PDF file can be seen on the landing page saying that the file can’t be accessed. If the image is clicked, the person will be directed to a web page having a fake Microsoft Office sign-in prompt ready to collect credentials. After giving away the credentials, the victim is taken to a page with a document having an identical title as the email message.

Proofpoint researchers do not know what Charming Kitten did with the compromised information, however, they state that prior phishing campaigns done by the group resulted in the exfiltration of the contents of the compromised email accounts and the use of the accounts for more phishing attacks.

The researchers state the attackers seem to have the objectives to acquire access to data associated with genetics, neurology and oncology, to get access to patient information, and to get hold of credentials for usage in other phishing campaigns. This was a very focused campaign that tried to acquire the credentials of less than 25 senior-level professionals at medical research institutions.

Proofpoint’s Joshua Miller states that although targeting medical professionals in genetics, neurology and oncology might not be a long-term move in TA453 targeting, it does reveal at least a momentary switch in TA453 collection goals. BadBlood is in line with a rising trend worldwide of medical research being more and more targeted by threat actors focused on espionage.