Watch: Iranian Cyberspy Caught on Zoom Trying to Hack U.S. Target

·4 min read
iran hacker video phishing attempt iran-hacker-video.jpg - Credit: Adobe Stock
iran hacker video phishing attempt iran-hacker-video.jpg - Credit: Adobe Stock

Last month, a U.S. academic logged into a Zoom meeting with “Samuel Valable.” The academic had heard from “Valable” via a LinkedIn account, suggesting the two meet. When the academic logged on, the figure on the other end came through in grainy stills, blaming a bad internet connection for his lack of live footage. Midway through the conversation, he dropped what appeared to be a Google Books link into the Zoom chat. “This is the book that I use as my main material. It’s down here. I sent it in the little chat box,” says “Valable” in the video as a web link with the name “googlebook” appears in the Zoom chat window.

The academic became suspicious, and thanks to some quick thinking — and with the help of a group of cybersecurity researchers — they’ve captured the first-known public live action-recording of an Iranian cyber-spy at work.

More from Rolling Stone

The real Samuel Valable, a French biologist, was nowhere near the Zoom call. Instead, the academic was Zooming with a member of “Charming Kitten,” a cybersecurity industry nickname for a group of hackers affiliated with Iran’s Islamic Revolutionary Guard Corps intelligence organization. And the “Google Book” link was actually a phishing link designed to trick users into “signing in” to a real-looking Google Accounts page and steal their password.

The U.S. academic — who shared the story on the condition of anonymity — wasn’t fooled. Instead, they recorded the call and sent it to the Computer Emergency Response Team in Farsi (CERTFA), a cybersecurity research group that tracks Iranian hackers. The fake links used by the hackers pointed to infrastructure previously used by and attributed to Charming Kitten.   

Live action role playing by a trained, english-speaking impersonator over Zoom represents the next phase of an evolving Iranian hacking campaign. The “Distinguished Impersonator” tactic —  first identified by CERTFA  — moves past traditional tricks like phishing emails and instead present targets with a more reassuring lure—a talking, seemingly authentic representation of a trusted public figure or colleague.

The campaign has previously impersonated reporters from The Wall Street Journal, CNN, and Germany’s Deutsche Welle to try and set up email interviews and phone calls. The impersonations are aimed at making targets feel comfortable enough to click through malware links the fakers send over..

“Charming Kitten,” affiliated with the IRGC, is best known for spying on dissidents, attempting to meddle in the 2020 U.S. presidential election, and trying to extort HBO with unreleased content from the hit series Game of Thrones. And they’re part of a broader Iranian hacking effort that has recently prompted a diplomatic feud with Albania and promises of retaliatory actions from the Biden administration.

This week, the government of Albania cut diplomatic ties with Iran after the revelation that Iranian hackers were responsible for a July 15 cyberattack on the Albanian government which destroyed data and cut off critical public services. The Biden administration also pledged that it “will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” following Albania’s announcement.

In the incidents documented by CERTFA’s most recent report, Iranian hackers posed as Washington, DC think tankers, including Paul Salem, the president of the Middle East Institute, and Hagar Hajjar Chemali, a sanctions scholar at the Atlantic Council. The fakers’ targets worked in “politics, media, human rights defenders and women rights activists who are experts in the Middle East” according to the researchers and were sent fake videoconference links “affiliated with other Charming Kitten servers and domains.”

In a statement shared with Rolling Stone, Salem said that “some of those who were targeted by these impersonation attempts are friends and colleagues who noticed the suspicious address and contacted me directly to confirm it was a fraud.” He added that the Middle East Institute “was not targeted directly” but it “took immediate steps to confirm that MEI-owned accounts were secured and filed a phishing report with the FTC.”

The hackers posing as Chemali were successful in taking over the account of an unidentified minority rights activist and used the account to send more malicious meeting links to the activist’s followers. CERTFA researchers also believe that hackers affiliated with Charming Kitten are likely behind a Twitter account purporting to be a human rights activist. The account, which uses a LinkedIn avatar stolen from an engineering student, “contacted journalists, human rights defenders and women rights activists” while pretending to work with Chemali seeking “the names of Iranian women’s rights activists living in Iran, Iraq and European countries who are seeking and eligible for financial support.”

And there are signs that there may be other victims out there. The link first dropped in the Zoom chat by the fake French biologist appears to have been used to target victims based in France. The servers hosted fake websites impersonating the French embassy in Iran and France24, a state-owned French news network which broasts in French, English, and Arabic.

Best of Rolling Stone

Click here to read the full article.