Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Security firm Proofpoint reports that the Advanced Persistent Threat (APT) group Charming Kitten was behind a spear phishing campaign in late 2020 targeting senior professionals at medical research organizations in the United States and Israel.

Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets.

The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The researchers suspect the latter to be the case and the groups was attempting to obtain specific types of intelligence.

The campaign was detected in December 2020, around a month after the U.S Department of Justice seized 27 website domains operated by IRCG that were being used for covert campaigns that attempted to influence events in the United States and other countries.

The spear phishing campaign involved emails from a Gmail account that impersonated a prominent Israeli physicist, Daniel Zajfman. The emails had the subject line “Nuclear weapons at a glance: Israel” and social engineering methods were used to convince the recipients to click a link in the emails and visit a Charming Kitten domain that spoofed Microsoft OneDrive. An image of a PDF file was hosted on the landing page stating that the file could not be opened. Clicking the image directed the individual to web page with a fake Microsoft Office login prompt that harvested credentials. After credentials were stolen, the victim was redirected to a page containing a document with the same title as the email with content related to that topic.

Proofpoint researchers were unable to determine what Charming Kitten did with the stolen credentials, but they point out that previous phishing campaigns conducted by the group have resulted in the contents of compromised email accounts being exfiltrated by the APT group and the accounts used in further phishing campaigns.

The researchers suggest the attackers appear to have a mission to gain access to information related to genetics, oncology, and neurology, that they were also seeking access to patient data, and they wanted to obtain credentials for use in further phishing campaigns. This was a highly targeted campaign that attempted to obtain the credentials of fewer than 25 senior-level staffers at medical research organizations.

“While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” said Proofpoint’s Joshua Miller.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.