Black Hat: Charming Kitten Leaves More Paw Prints

2021-08-05 14:16

LAS VEGAS - The suspected Iranian threat group that IBM Security X-Force calls ITG18 and which overlaps with the group known as Charming Kitten keeps leaving a trail of paw prints.

On Wednesday, in a session titled "The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker," X-Force researchers Allison Wikoff and Richard Emerson said you just have to laugh about all the errors the group keeps making.

X-Force expects ITG18 operations to persist despite all the publicity the threat actor has gotten due to its lousy opsec and stolen data, she continued, which speaks to the group's ability to just keep doing what it's been doing for so long.

The fact that Charming Kitten is so efficient at training newbies might mean a few things, Wikoff suggested during the session: It could be that the group has a large staff, and/or it could be that they have a good amount of worker turnover.

Between August 2020 and May 2021, X-Force has also observed ITG18 successfully compromising multiple victims aligned with the Iranian reformist movement, "Probably to monitor group activity around the Iranian presidential election in June," Wikoff hypothesized.

Google and Yahoo are unsurprising targets, but Charming Kitten isn't fussy: The group gobbles up anything.

News URL

https://threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/

#blackhat