In a spearphishing campaign, credentials from medical professionals was stolen and this was linked to the Charming Kitten APT.
The true intent of some hackers in a spearphishing campaign known as ‘BadBlood’ was to steal credentials from medical professionals. At last, the BadBlood campaign is connected to the Charming Kitten APT.
In December, the Iranian hacking group known as “Phosphorous” or “Charming Kitten” began targeting about 25 medical researchers in the fields of genetic science, neurology, and oncology research in both the United States and Israel, according to the cybersecurity firm Proofpoint.
BadBlood Campaign
Academics, dissidents, journalists, and diplomats are usually targeted by Charming Kitten or TA453. However, taking a different route from the usual process, the hackers have targeted senior researchers.
The recent malicious hacking attempt comes after a year of escalating cyberattacks on hospitals, academics, and other organisations in the midst of the COVID-19 pandemic, with countries such as China playing a key role. Due to a variety of factors, like COVID-19 vaccine testing, the pattern of threatening medical researchers has clearly increased.
BadBlood campaign is merely the latest addition to the caravan. While the reasons for the cyber attacks have not been explicitly defined by researchers, it is widely assumed that they are an ad hoc incident designed to collect information for potential phishing campaigns.
The Charming Kitten APT group
Charming Kitten is an APT group which is backed by Iran that has been involved since at least 2014. This APT group is best known for cyberespionage incidents, with 240 malicious domains, at least 85 IP addresses, and hundreds of false identities in its arsenal.
Microsoft last year reported that the same hackers conducted spoofing attacks in Saudi Arabia against 100 high-ranking attendees of the Munich Security Conference and the Think 20 Summit. The Charming Kitten was also linked to the reelection campaign of former US President Donald Trump. This accusation comes a year after Microsoft accused Phosphorus of targeting and attacking hundreds of Microsoft accounts, including those belonging to unidentified presidential campaign staffers.
Modus Operandi
The victims were identified as “extremely senior staff at a variety of medical research organisations” by Proofpoint researchers in a blog post, and the effort was possibly part of an intelligence collection operation as well as a product of ongoing tensions between Iran and Israel.
The Iranian hackers used malicious phishing emails to attract their targets to a website that looked like a Microsoft login page in order to steal personal account credentials. If a unsuspecting user clicks on the malicious website, they will be directed to a landing page that imitates Microsoft’s OneDrive service and contains a picture of a PDF document logo named “CBP-9075.pdf,” which is actually a malicious file. When anyone wants to access or open the PDF, a forged Microsoft login page appears, attempting to steal user credentials, according to Proofpoint researchers.
Conclusion
BadBlood isn’t the first of its kind, but it does signal a change in TA453’s selection priorities. Further analysis will show more about the APT group’s intentions in the medical sector. Nonetheless, cybersecurity postures must be strengthened before further damage is caused by the Charming Kitten APT group.
Furthermore, in today’s world, recognising phishing emails has become a requisite skill, as no one is immune to cyberattacks.