In another sign of the growing extremism and aggressiveness of the Iranian regime, the Associated Press revealed an unprecedented effort by Iranian regime hackers to break into the personal emails of American officials responsible for enforcing new economic sanctions imposed on Iran.
In addition to the cyber attacks on U.S. officials, the Iranian regime hackers also targeted high profile dissidents and detractors of the Iran nuclear deal, as well as a hodgepodge of D.C., think tank employees, Iranian civil society figures and atomic scientists.
The AP drew on data gathered by the London-based cybersecurity group Certfa to track how a hacking group often nicknamed Charming Kitten spent the past month trying to break into the private emails of more than a dozen U.S. Treasury officials.
The reported campaign underscores the degree to which government-sponsored hackers still rely on tricking email users into handing over their email usernames and passwords. The alleged phishing campaign aimed to bait targets into handing over their credentials and then went further, asking victims to provide one-time codes, such as texted and app-generated codes, used as a second form of authentication.
The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet last month. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to the AP for further analysis.
It’s hard to know how many of the accounts were successfully compromised or how exactly they were targeted in each case. But even though the addresses likely represent only a fraction of the hackers’ overall efforts, they still provide considerable insight into Tehran’s espionage priorities.
“Presumably, some of this is about figuring out what is going on with sanctions,” said Frederick Kagan, a scholar at the American Enterprise Institute who has written about Iranian cyberespionage and was among those targeted.
Kagan said he was alarmed by the targeting of foreign nuclear experts. “This is a little more worrisome than I would have expected,” he said.
The targeting of the email accounts of nuclear scientists raises the dark specter that the regime is going after data and critical research information that could prove useful in its ongoing nuclear weapons development.
The actions also fly in the face of one of the key arguments made by the Iran lobby during the run-up of the nuclear deal which was that the Iranian regime was only interested in civilian and peaceful nuclear development and had no interest in developing weapons of mass destruction.
In a report published Thursday, Certfa tied the hackers to the Iranian government, a judgment drawn in part on operational blunders, including a couple of cases where the hackers appeared to have accidentally revealed that they were operating from computers inside Iran.
Certfa said its investigation found the hackers used Virtual Private Networks, or VPNs, to make it look like they were operating from France and the Netherlands. But the group said it uncovered strong evidence to prove that the hackers were operating from inside Iran.
The assessment was backed by others who have tracked Charming Kitten. Allison Wikoff, a researcher with Atlanta-based SecureWorks, recognized some of the digital infrastructures in Certfa’s report and said the hackers’ past operations left little doubt they were government-backed.
“It’s fairly clear-cut,” she said.
One target was Frederick Kagan, who works for the American Enterprise Institute, a think tank based in Washington. Kagan has repeatedly written about Iranian cyberespionage efforts.
“Presumably, some of this is about figuring out what is going on with sanctions,” Kagan told the AP. He was speaking about economic sanctions the U.S. has placed on Iran. The latest sanctions, on Iran’s oil and financial industry, were announced last month.
Iranian regime cyber attacks are nothing new and have become relentless and a fact of life among white hat programmers tasked with defending government and corporate networks against intrusion, but this latest effort to gain access to personal email accounts with much lower levels of security presents a different tack in the regime’s cyber tactics.
To add a look of legitimacy to their campaign, the hackers in some cases directed victims to open websites hosted on Google Sites pages before entering their usernames and passwords, Certfa said. The researchers said they notified Google of the pattern, and Google deactivated the hackers’ pages hosted on the company’s service. Google didn’t immediately respond to a request for comment.
The effort to target avowed dissidents and naysayers of the Iran nuclear deal indicates another disturbing trend by the mullahs in Tehran which is to go after those who dare denounce or criticize them.
This past year, Iranian intelligence agents have been identified in attempts to smuggle a bomb into an annual gathering of Iranian dissidents outside of Paris and plot an assassination attempt in Denmark against noted critics of the regime.
What is also noteworthy is the virtual silence emanating from the Iran lobby and its chief members, including the National Iranian American Council who have never voiced a criticism of the Iranian regime’s cyber terror activities, nor ever called upon the regime to lift the virtual blockade it has imposed on outside social media services within Iran.
The tight-fisted ban on transmitting information reveals the key weakness of the mullahs’ rule which is it cannot stand up to the scrutiny of daylight and transparency.
This is why the regime relies so heavily on cyber attacks to stifle dissent, gain intelligence and secrets and wage an online war against its harshest critics, such as the efforts by the regime to manipulate fake social media accounts to attack dissident groups such as the National Council of Resistance of Iran.
Ultimately the regime’s efforts are likely to prove ineffective as its stealth efforts are uncovered and revealed to the world; reinforcing the growing perception that Tehran was never really serious about pursuing a new moderation with the rest of the world.