Linkedin and WhatsApp have become prime sources for a cyber espionage group based in Iran seeking to target defense technology, government, diplomatic and military sectors. Posing as journalists, the cyber hackers have been able to infect devices with Malware.
Israeli firm Clearsky identified the new TTP group in July 2020 as impersonating both Deutsche Welle and The Jewish Journal using emails alongside WhatsApp contact as their platform of choice to convince targets to open malicious links.
This marks the first time that the threat has carried out an attack through WhatsApp as well as Linkedin, as well as making phone calls to the intended victim. It was confirmed that the party impersonated did not send any email correspondence to the victim or any party in Israel over the last few weeks.
Deutsche Welle was alerted to the impersonation by Clearsky who also alerted them to the watering hole in their website. The Iranian group calling themselves Charming Kitten (but also known under numerous aliases as Newscaster, Parastoo, APT35 and NewsBeef) have been linked to many covert campaigns since late 2017 with a prime focus of obtaining sensitive information from anything from media outlets to human rights activists.
The Information stealing Malware was delivered via WhatsApp by the watering hole (a malicious link embedded in the Deutsche Welle domain). This occurred after victims were contacted by use of usual social engineering methods to entice academics to be a speaker at an online seminar. Beginning with an email to the victim to start conversation flowing, they are then asked to be able to move the talk to a WhatsApp chat. If they get no success in luring the victim into a WhatsApp discussion, an attack will be sent via LinkedIn inbox via a fake profile.
However, further tactics to gain the victims trust have been applied, such as calling the victim in person, establishing a personal presence and walking the victim through the steps of connection to the webinar utilising the same malicious linked shared.
Although this tactic of pillaging sensitive information is a new direction for APT35, it is not the first time the Iranian group have utilised social media platforms to attack parties of interest. In 2014 the group was discovered creating fake Facebook profiles and news websites to target Political and military leaders around the world. Known as Operation Newscaster, the three year long campaign was uncovered by ISight Partners in which targets such as US Navy personnel, ambassadors and lawmakers were among the hacker’s targets.