German Intelligence Warns of Surge in Iranian EspionageCharming Kitten Targeting Iranian Expatriates, the BfV Says
German intelligence is warning Iranian expatriates over a state-sponsored espionage campaign driven by individualized social engineering techniques.
Germany's federal domestic intelligence agency, the Federal Office for the Protection of the Constitution - better known as the BfV - on Thursday said it has "current intelligence" pointing to an active Charming Kitten campaign targeting Iranian individuals and organizations in Germany.
Charming Kitten, also known as Mint Sandstorm, TA453, APT35 and Cobalt Illusion, is a hacking group with suspected ties to Iranian intelligence. The group has previously spied on journalists, defense technology companies and diplomats.
Iran's authoritarian regime has long surveilled its Western diaspora in campaigns that have included cyberespionage, online harassment including death threats, actual assassinations and acts of terrorism. A 2018 report from the Carnegie Endowment for International Peace concluded that cyber operations are "a core tool of Iranian statecraft, providing Tehran less risky opportunities to gather information and retaliate against perceived enemies at home and abroad."
Cyber experts rate Tehran's hacking capabilities as falling below China and Russia but said Iranian hackers are agile in exploiting n-day vulnerabilities and make sophisticated use of social engineering techniques. The U.S. intelligence community in 2023 warned that "Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data."
The BfV said this campaign begins with online contact tailored to the target "by referring to issues or individuals which are known to the victim or appear legitimate." Initial contact may come from a spoofed email account that appears to come from a real individual, such as a journalist or an employee of a nongovernmental organization.
After establishing trust, Charming Kitten hackers ask for an online video chat through a link that, at first glance, appears to come from a legitimate provider such as Google or Microsoft. The link actually goes to a phishing web page that collects log in data including second-factor authentication codes. Hackers then download user data from the target's online accounts.
The intelligence agency advises having "a healthy dose of skepticism" when you encounter unfamiliar contacts or unusual requests from established contacts.