An Iranian state-sponsored hacking group, known as Charming Kitten, has intensified its spear-phishing efforts against cybersecurity and computer science experts in Israel. This advanced persistent threat (APT), which is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been active for over a decade and is known for its sophisticated cyber espionage tactics targeting both supportive and adversarial governments, as well as individuals.
According to Check Point Research (CPR), the recent attacks began with the hackers posing as employees of cybersecurity firms, employing Jewish-sounding names and background details to enhance their credibility. These tactics were aimed at luring prominent Israeli academics and professionals into initiating conversations, often via WhatsApp, to evade traditional email filters and ensure quicker responses. In some instances, the threat actors even sought in-person meetings in Tel Aviv, raising questions about the potential for physical espionage.
Charming Kitten’s operations included sending personalized messages that referenced current cyber threats against Israel from Iran. Sergey Shykevich, a threat intelligence manager at CPR, noted that the group employs a meticulous approach, researching their targets to create compelling narratives that encourage victims to engage. The initial outreach did not contain malicious links or attachments, maintaining a façade of legitimacy until trust was established.
The focus of this campaign appears to be on high-profile individuals within academia and the cybersecurity sector, reflecting possible retaliatory motives following suspected Israeli cyber operations against Iranian infrastructure. While the total number of targets remains unclear, CPR identified over 100 domains associated with this campaign, indicating a broader scope beyond Israel. The group’s rapid cycling through various infrastructures poses significant challenges for cybersecurity defenses and tracking efforts against these evolving threats.