<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

The Hidden Claws of APT 35: Charming Kitten

Don’t let the disarming name fool you. Charming Kitten, also known as APT 35, Newscaster Team, Ajax Security Team, Magic Hound, and Phosphorus, is as dangerous as any other APT (advanced persistent threat) group out there. This group, operating as early as 2014, has conducted numerous high-profile spear-phishing attacks against targets around the world. Today, we will take a closer look into the tactics and motives of APT 35 while providing some strategies that could help organizations declaw the kitten.

A Not-So-Charming History of APT 35

The exact origins of APT 35 remain unknown, however the earliest traces of the group date back to 2014. Believed to be sponsored by the Iranian government and operated by the Islamic Revolutionary Guard Corps (IRGC), the first suspected Charming Kitten attack was linked to the 2014 Iranian presidential election. Early campaigns linked to APT 35 primarily targeted governments and militaries in South Asian and Middle Eastern countries. Their focus on these regions and more recent campaigns targeting Israeli media groups suggest a potential strategic interest aligned with Iranian foreign policy.

Some experts believe APT 35 might have emerged from pre-existing Iranian cyber operations. Charming Kitten demonstrates a level of sophistication and technical skill that suggests a well-established team. Their ability to adapt and develop new tools over time further reinforces this notion. The lack of definitive information surrounding APT 35's origins highlights the challenges in attributing cyberattacks. However, cybersecurity experts can build a clearer picture of this persistent threat actor by analyzing their targets, tactics, and techniques.

After the 2014 election tampering, activities continued in various small-scale attacks. It wasn’t until 2017 that APT35 was credited with larger campaigns. The following is a timeline of Charming Kitten’s notable activities:

  • 2014 Iranian Presidential Election Hack: In 2014, the Iranian presidential election website was hacked in an attempt to compromise the election outcome. While no group was explicitly tied to the event, it is now commonly believed that an early iteration of APT 35 was involved.
  • 2015 Attack on Gmail Accounts of Iranian Journalists and Activists: Charming Kitten was accused in a spear-phishing campaign targeting Iranian journalists and activists, compromising their Gmail accounts.
  • 2016 Telegram Hack: The group compromised the cloud-based instant messaging platform Telegram, gaining access to an estimated 15 million phone numbers and email addresses. Telegram denied the existence of the breach.
  • 2017 HBO Ransomware Attack: In 2017, television network HBO was subject to a large-scale ransomware attack. In the attack the hackers threatened to leak over 1.5 terabytes of data, including scripts and full episodes of unreleased shows such as Game of Thrones. They requested a $6 million ransom in bitcoin. The attack was linked to Behzad Mesri, a known member of an Iranian hacking group called the Turk Black Hat Security Team. Mesri and the HBO attack were then linked to Charming Kitten through another Turk Black Hat member, “ArYaIeIrAN”, who was known to provide infrastructure for Charming Kitten activity.
  • 2019 Indictment and Microsoft Involvement: In 2019, former United States Air Force intelligence officer Monica Witt was indicted by a federal grand jury on espionage charges. Witt, who defected to Iran in 2014, became involved in numerous Iranian espionage campaigns targeting U.S. intelligence operations and personnel. This indictment also included four Iranian nationals, including Behzad Mesri, who were charged with conspiracy, attempting to commit computer intrusion, and aggravated identity theft. As a direct result of this indictment, Microsoft took ownership of 99 DNS domains owned by the Iranian government-sponsored hackers, where direct ties to Charming Kitten were discovered.
  • 2020 Election Interference Attempts: Once Microsoft began investigating Charming Kitten, they discovered 2,700 attempts to gain information regarding targeted email accounts, which in turn led to 241 attacks and 4 compromised accounts. Microsoft determined that the attacks were aimed at the 2020 United States presidential election. Iranian officials denied any involvement in election tampering; however, Microsoft and other third-party cyber security firms maintain the belief that Iran, and more specifically APT 35, were directly behind the attempted interference due to the undeniable similarities in tactics, techniques, and procedures (TTPs) between the election tampering tactics and other previous Charming Kitten attacks.
  • 2022 - current: Since 2022, Charming Kitten has been linked to dozens of campaigns across various industries, countries, and interests. In that time, they have expanded into several different sub-groups operating under different names, such as PHOSPHORUS (the largest), APT42 (aka Yellow Garuda), NemesisKitten, Tortoiseshell (aka TA453), TA455 (aka Yellow DEV13), and ImperialKitten.

Nine Lives of Deception: Charming Kitten’s Common Attack Methods

Charming Kitten isn't generally known for brute force. Instead, they employ a more strategic approach, using a variety of methods to gain access to target systems and steal sensitive information. Here are nine of Charming Kitten’s commonly used tactics:

  • Social Engineering: APT 35 commonly uses sophisticated social engineering techniques, such as fake social media profiles and well-crafted spear-phishing emails to establish connections with targets, gain trust, and compromise accounts.
  • Spear Phishing: Spear phishing emails are carefully crafted messages that appear to come from legitimate trusted sources. In some cases, the emails even originate from fully legitimate email accounts that have been compromised for this purpose. These emails often contain malicious links or attachments to lure victims into revealing sensitive information or unknowingly download malware onto their systems.
  • Exploiting Known Vulnerabilities: APT 35 is known for quickly adopting new vulnerabilities such as the Microsoft Exchange Server ProxyShell vulnerabilities and the Log4Shell/Log4j vulnerability.
  • PowerShell-Based Tools: Charming Kitten commonly uses PowerShell scripts for many of its tools, such as the PowerLess Backdoor. PowerShell is a legitimate scripting language and automation framework built into the Windows operating system, which makes it much easier for the group’s tools to blend in with normal system activity and evade traditional security solutions like antivirus.
  • Custom Tool Sets: APT 35 develops and maintains a set of custom tools for its operations, including backdoors, keyloggers, and information stealers. These tools enable the group to maintain a persistent presence on the target’s network, gather sensitive information, and carry out objectives.
  • Operational Security: Charming Kitten is known for its strong OPSEC practices, using encryption, obfuscation, and proxy servers to maintain anonymity and avoid attribution. This makes the task of tracking the group’s activities very challenging for researchers and security professionals.
  • Multi-Stage Payloads: APT 35 often uses multi-stage payloads, deploying initial malware components that download and install additional malicious tools onto compromised systems. This helps the group evade detection as initial payloads are often obfuscated or disguised to appear innocent.
  • Malware Loaders: APT 35 routinely uses malware loaders to deploy other malicious components onto compromised systems, using various techniques to evade antivirus software and other security tools. Once a malware loader has infiltrated a system, they can download and install their custom toolsets.
  • Newscaster: While no longer in use, it would not be unusual to see this type of tactic used again in the future. Newscaster was a network of fake social media profiles used by Charming Kitten (resulting in the common alias Newscaster Team) for reconnaissance and social engineering. These profiles were used to establish connections with targets, build trust, and compromise accounts to gain access to sensitive data.

Mission Objectives: APT 35’s Goals

Many cybercrimes are linked directly to financial gain, but an allegedly state-sponsored group like Charming Kitten is an exception. It is important to note that the group was tied to the 2017 HBO ransomware attack, but that instance is linked to an individual with ties to Charming Kitten and likely was not fully sanctioned by the group. Generally, APT 35 primarily targets organizations and individuals for cyber espionage. These objectives often include:

  • Stealing sensitive information: This can include intellectual property, government secrets, military plans, or other confidential data.
  • Maintaining long-term access: APT 35 usually seeks to establish persistent access within target networks, enabling them to gather intelligence over extended periods.
  • Disrupting critical infrastructure: While less common, some experts believe they may possess the capability for disruptive attacks on critical infrastructure.

Don’t Get Cat-Phished: Strategies to Protect your Organization

While APT 35 does pose a significant threat, organizations can take some simple steps to mitigate the risk.

  • Employee Education: Train employees to recognize social engineering attempts and be cautious about clicking suspicious links or opening unknown attachments.
  • Patch Management: Prioritize timely patching of vulnerabilities in software and operating systems. Implement a vulnerability management program for continuous scanning and prioritization.
  • Multi-Factor Authentication (MFA): Enforce strong authentication measures like MFA for all user accounts, making it harder for attackers to gain access even with stolen credentials.
  • Network Segmentation: Segment your network to minimize the potential damage from a breach and limit an attacker's ability to move laterally.
  • Security Monitoring: Implement security monitoring solutions to detect suspicious activity within your network.
  • Incident Response Plan: Prepare a well-defined incident response plan that outlines steps to take in case of a cyberattack. Regularly test and update your plan.

Detecting Charming Kitten with Stamus Security Platform

The Stamus Security Platform (SSP) provides Declarations of Compromise for hundreds of covered threats — including APT 35 — ranging across 22 unique threat families. In the simplest terms possible, a Declaration of Compromise (often referred to as a DoC) is a high-confidence and high-priority security event generated by the Stamus Security Platform, signaling a “serious and imminent” threat on an asset. When SSP generates a DoC, it creates a data record that contains a substantial amount of metadata and associated artifacts that help the analyst understand exactly why it triggered and provide evidence for any investigation that may follow.

DoC coverage for Charming Kitten includes a description of the threat, additional related resources, and other associated groups. When APT 35 activity is identified on the network, SSP automatically generates a DoC, providing your analysts with a detailed attack timeline and key contextual metadata.

Stamus Security Platform users also receive a weekly threat intelligence update. These emails contain all of the additional threat detections added to the platform that week, as well as information on those threats. There have been several updates related to APT 35 in just the last few months (at the time of publishing). These updates can help SSP users stay informed on Charming Kitten’s latest tactics. Below is a screenshot of an APT 35 update (under the moniker Magic Hound) from 20 February 2024.

Charming Kitten: A Reminder That Appearances Can Be Deceiving

While Charming Kitten now regularly operates under various aliases, their tactics are still widely used by different sub-groups of Iranian cyber threat actors. By maintaining awareness of their tactics and continuing to equip ourselves against all types of cyber threats we can minimize the potential damage caused by these types of threat actors.

Stamus Security Platform users are well-equipped to detect modern APT 35 variations, but our threat research teams continue to issue new threat intelligence in response to the evolution of this and other APT groups. Subscribe to our weekly threat intelligence update to receive information on changes to Stamus Security Platform’s APT detections as well as other novel threats and techniques. You can view the historical archive of these threat intelligence updates on our website here.

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.

Dallon Robinette

Schedule a Demo of Stamus Security Platform