#BHUSA: The 9 Lives of the Charming Kitten Nation-State Attacker

Not all nation-state attacker groups use innovative techniques to be successful; some will just use the same tried and true techniques again and again.

In a session at Black Hat US 2021, a pair of researchers from IBM X-Force outlined how a nation-state group that it refers to as ITG18 continues to use the same techniques to attack victims. ITG18, which is alleged to be backed by Iran, is also known by other names that it has been given by other research groups, including Charming Kitten, Phosphorous, and APT35.

Richard Emerson, senior threat hunt analyst at IBM X-Force, explained that his team was able to find an open file directory used by Charming Kitten and found a treasure trove of information about the group and how it operates. The directory included hours of training videos, detailing how members of the adversary group could infect and exfiltrate data from victims.

A hallmark of Charming Kitten's operations, according to Emerson, was the group's phishing attacks against personal, social media, and webmail accounts to support their espionage and surveillance objectives. Even after their efforts were discovered, Charming Kitten has continued to pounce on new victims.

In March 2019, Microsoft claimed that it significantly disrupted Charming Kitten, taking over 99 domains associated with the group. Emerson noted that in the months and years since, Charming Kitten has just registered new domains and has continued with the same basic tactics.

"This group does not seem to particularly care about public disclosure of their activities like other groups do, possibly because they continue to enjoy success with their tactics," Emerson said.

Among the tools used by Charming Kitten is one that the IBM researchers have named LittleLooter. Emerson explained that LIttleLooter is a functionally rich backdoor that is capable of recording video and sound phone calls, gathering information on call history and SMS messages, as well as gathering location data and browser history.

"With all this personal information taken from targets of interest, we can only guess at how it's been used by the Iranian government to further their objectives," Emerson said.

Charming Kitten is a Large Operation

Allison Wikoff, senior strategic cyber-threat analyst at IBM X-Force, noted that she is confident that Charming Kitten is a very large operation, in terms of the number of people involved.

For example, she noted that IBM has collected over 2,000 unique indicators associated with the group's activities and over 2 terabytes of data stolen from victims. The fact that the group has training videos also implies they are recruiting new members and have some turnover in their operations.

"They have consistently targeted Iranian journalists and researchers in country and abroad, but they've also gone after foreign targets like COVID researchers, nuclear regulators, US politicians and financial regulators, all depending on what's happening," Wikoff said.

How to Defend Against Charming Kitten

There are a number of different things organizations can do to help limit the risk from Charming Kitten. Wikoff emphasized that a key foundational step is to have multi-factor authentication on everything.

Additionally, Wikoff said that it's important for organizations to think about how to train employees to notice and report threats. In the case of Charming Kitten, as well as with other threat actors, she noted that personal resources are targeted, and as such the personal computing habits of employees can impact the organizational security of a company.

"We've seen they have the ability to mass collect information, not just off personal webmail accounts but also off of cell phones," Wikoff said. "They have hardly changed their tactics in the last four years and yet they continue to expand their targets and operations."

What’s Hot on Infosecurity Magazine?