A group of hackers tied to Iran have been identified as the culprits behind a series of phishing attacks against current and former high-ranking U.S. officials tied to the 2015 Iran nuclear deal and this year’s resumption of sanctions by President Trump. The hacker group nicknamed “Charming Kitten” targeted former White House and State Department staff, more than a dozen employees of the Treasury Department and dozens of D.C. think-tank employees, Iranian atomic scientists and prominent Iranian citizens.
Among those targeted were Guy Roberts, assistant secretary of Defense for Nuclear, Chemical and Biological Defense Programs; Andrew J. Grotto, the former senior director for cybersecurity policy at the White House; and Jarrett Blanc, previously the State Department coordinator for the Iran nuclear implementation under President Obama.
“This is something I’ve been worried about,” Roberts told the AP.
In May, President Trump withdrew from the 2015 nuclear deal, and reinstated sanctions against the country’s oil exports, shipping and banks. The nuclear deal was struck by President Obama, and lifted decades-old sanctions against Iran in exchange for the country’s curbing of plutonium development and nuclear ambitions.
Frederick Kagan, a scholar at the American Enterprise Institute, was also targeted.
“Presumably, some of this is about figuring out what is going on with sanctions,” Kagan told the AP. “This is a little more worrisome than I would have expected.”
London-based cybersecurity group Certfa discovered last month that Charming Kitten left open one of its servers, finding 77 Gmail and Yahoo personal email addresses that were targeted by hackers. The data was then turned over to the Associated Press for analysis. Cerfta connected Charming Kitten to Iran in a recently published report.
“According to the samples of phishing attacks, the main trick used by these hackers to deceive their targets is that of sending fake alerts through email addresses such as email@example.com, firstname.lastname@example.org, customer]email-delivery[.]info etc. stating that unauthorised individuals have tried to access their accounts,” Cerfa stated.