Google: Iran's Charming Kitten Targets US Presidential Elections, Israeli Military

A threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) has launched new cyberattacks against email accounts associated with the upcoming US presidential election as well as high-profile military and other political targets in Israel. The activity — which predominantly comes in the form of socially engineered phishing campaigns — are in retaliation for Israel's ongoing military campaign in Gaza and the US' support for it, and are expected to continue as tensions rise in the region.

Google's Threat Analysis Group (TAG) detected and blocked "numerous" attempts by Iran-backed APT42, perhaps best known as Charming Kitten, to log in to the personal email accounts of about a dozen individuals affiliated with President Biden and with former President Trump, according to a blog post published yesterday. Targets of the activity included current and former US government officials as well as individuals associated with the respective campaigns.

Moreover, the threat group remains persistent in its ongoing efforts to attempt to compromise the personal accounts of individuals affiliated with the current US Vice President and now presidential candidate Kamala Harris, and former President Trump, "including current and former government officials and individuals associated with the campaign," according to the post.

The discovery comes as a Telegram-based bot service called "IntelFetch" has also been found to be aggregating compromised credentials linked to the DNC and Democratic Party websites.

Charming Kitten Bats Around Israeli Targets

In addition to election-related attacks, TAG researchers also have been tracking various phishing campaigns against Israeli military and political targets — including people with connections to the defense sector, as well as diplomats, academics, and NGOs — that have ramped up significantly since April, according to the post.

Google recently took down multiple Google Sites pages created by the group "masquerading as a petition from the legitimate Jewish Agency for Israel calling on the Israeli government to enter into mediation to end the conflict," according to the post.

Charming Kitten also abused Google Sites in an April phishing campaign targeting Israeli military, defense, diplomats, academics, and civil society by sending emails that impersonated a journalist requesting comment on recent air strikes to target former senior Israeli military officials and an aerospace executive.

"Over the last six months, we have systematically disrupted these attackers' ability to abuse Google Sites in more than 50 similar campaigns," according to Google TAG.

One such campaign involved a phishing lure that featured an attacker-controlled Google Sites link that would direct the victim to a fake Google Meet landing page, while other lures included OneDrive, Dropbox, and Skype.

New & Ongoing APT42 Phishing Activity

In other attacks, Charming Kitten has engaged in a diverse range of social engineering tactics in phishing campaigns that reflect its geopolitical stance. The activity is not likely to let up for the forseeable future, according to Google TAG.

A recent campaign against Israeli diplomats, academics, NGOs, and political entities came from accounts hosted by a variety of email service providers, they discovered. Though the messages did not contain malicious content, Google TAG surmised that they were "likely meant to elicit engagement from the recipients before APT42 attempted to compromise the targets," and Google suspended Gmail accounts associated with the APT.

A separate June campaign targeted Israeli NGOs using a benign PDF email attachment impersonating a legitimate political entity that contained a shortened URL link that redirected to a phishing kit landing page designed to harvest Google login credentials. Indeed, APT42 often uses phishing links embedded either directly in the body of the email or as a link in an otherwise innocuous PDF attachment, the researchers noted.

"In such cases, APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page," according to the post.

Another APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to engage on other platforms like Signal, Telegram, or WhatsApp, most likely as a way to send a phishing kit to harvest credentials, according to Google TAG.

Politically Motivated Attacks to Continue

All of this is common hunting for APT42/Charming Kitten, which is well known for politically motivated cyberattacks. Of late, it has been extremely active against Israel, the US, and other global targets since Israel's military campaign in Gaza in retaliation for the Hamas Oct. 7 attack in Israel.

Iran overall has a long history of responding to tensions in the region with cyberattacks against Israel and the US. In the past six months alone, the US and Israel accounted for roughly 60% of APT42's known geographic targeting, according to Google TAG. More activity is expected after the Israel's recent assassination of top Hamas leader on Iranian soil, as experts believe that cyberspace will remain a primary battleground for Iran-backed threat actors.

"APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics," according to Google TAG. "As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42."

The researchers also included a list of indicators of compromise (IoCs) in its post that include domains and IP addresses known to be used by APT42. Organizations who may be targeted also should remain vigilant for the various social engineering and phishing tactics used by the group in its recently discovered threat campaigns.