APT35 Ruse: Vishing From the Charming Kittens

One of the greatest powers given to us by social media channels is arguably the ability to find people from any place in the world. More than that, we can connect with them in seconds without paying a fee or hopping through the rings of fire.

Finding a person is easier than ever now. You just set up a profile on one of the platforms, input some key info in the search query, and you will likely be in luck ‒ the person you looked for could be brought up.

While that sounds great, this social media superpower is also its most prominent super weakness.

People are not used to giving it as much attention as to invasive practices of service providers or the mass profiling and data harvesting business we’ve posted about earlier. But it's a big issue and a threat risk for professionals that can’t isolate themselves as easily on those platforms.

Some of us don’t have the privilege to cancel out risks that come with an online presence, some of us rely on social media to do our jobs and monitor the situation in the world.

The Work Field That Is All About Taking Chances

“Journalism is printing what someone else does not want printed. Everything else is public relations.” ‒ George Orwell.

There are life risks present in many jobs and many work fields, but rarely do they get as behavior-based and personality-oriented as in political journalism. Opinions tend to mean more than usual, and words that don’t get the state’s approval can put a target on the messenger’s back.

It takes a lot of courage to tell the part of a story that the state would like to keep hidden, and there are many brave people who put democracy and freedom of speech before their well-being.

We talk about the watchdogs that sacrifice moral stability to express and share anti-establishment opinions or provide facts and evidence that can ruffle some pretty big feathers. When you choose to tie up your life for such an unconventional profession, you’re silently agreeing to being watched over constantly.

That’s where social media channels could be used against the person getting too close to the fire. These platforms are essentially a shortcut for the government’s need to compromise devices through active exploits in instant messengers.

“Good Old” Social Engineering Is Good Enough

It’s not often that the state-backed hacking group initiates the contact with a target through a LinkedIn connect request.

It’s even rarer for hackers to pose as journalists themselves, but that’s what APT35 (an Iranian advanced persistent threat group, also known as CharmingKitten) did. Iranian hackers targeted human rights activists and academia experts covering Iranian political climate by masquerading as Persian-speaking journalists from a German broadcasting company called Deutsche Welle and an Israeli magazine Jewish Journal.

The attackers decided to add more twists and turns to their strategy by holding a phone conversation with their targets to gain more trust and legitimacy in the targets’ eye.

Amidst the conversations, hackers would share links to compromised websites where the attacked ones would be exposed to a phishing page or would be asked to download a malicious zip file.

We can segment the operation down in just three steps:

1. Connect with a target on LinkedIn, using a stolen or synthetic identity
2. Initiate a call to gain more trust from the victim
3. Direct the target to a phishing page, or a source to the malicious attachment

The full report can be found in the ClearSky report aptly named “The Kittens Are Back in Town 3”.

This seems like a bold strategy, since this group was allegedly involved in more journalistic spoofs before, where emails and SMS messages were used for a first step, not LinkedIn. But it worked, mostly because of how much easier it is to influence the person via call.

While Advanced Persistent Threat groups have other, more technical means of compromise, social engineering stays the most effective and cost-efficient attack vector for political criminals. 

This approach only reinforces the idea that emotional susceptibility and journalistic desire to get the information is a bad mix. Journalists find themselves between a rock and a hard place, and by highlighting this case, we hope to forewarn people who risk daily to preserve the freedom of speech.