Security News > 2021 > July > ‘Charming Kitten’ APT Siphons Intel From Mid-East Scholars

The threat actor is Charming Kitten - aka a number of names, including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus.

Operation SpoofedScholars shows TTPs that are also similar to previous TA453 campaigns and "Consistency with TA453's historical targeting," the analysts wrote, including using free email providers to spoof individuals familiar to their targets.

According to Proofpoint, the campaign started in early 2021 with the concoction of a bogus scholar: a "Senior Teaching and Research Fellow at SOAS University in London." TA453 hijacked a real scholar's name, then set up a like-alike email address for the persona, whom we'll refer to as Dr. Utterly Bogus, in order to spark conversations with targets.

TA453 wanted to talk with the target via phone to discuss the invitation, but the target was too slippery: The intended victim "Hedged and emphatically stated that they wanted a written proposal with the details," researchers described.

It's a good bet that TA453 planned to validate those credentials "Immediately," they hypothesized: "Based on the variety of email providers along with TA453's insistence that the target log on when TA453 was online, Proofpoint assesses that TA453 was planning on immediately validating the captured credentials manually."

"While some of the identified selectors no longer appear to be active in TA453 operations, Proofpoint assesses with high confidence that TA453 will continue to spoof scholars around the world in support of TA453's intelligence collection operations in support of Iranian government interests. Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities."

News URL

https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/