#BHUSA: The 9 Lives of the Charming Kitten Nation-State Attacker

Not all nation-state attacker groups use innovative techniques to be successful; some will just use the same tried and true techniques again and again.

In a session at Black Hat US 2021, a pair of researchers from IBM X-Force outlined how a nation-state group that it refers to as ITG18 continues to use the same techniques to attack victims. ITG18, which is alleged to be backed by Iran, is also known by other names that it has been given by other research groups, including Charming Kitten, Phosphorous, and APT35.

Richard Emerson, senior threat hunt analyst at IBM X-Force, explained that his team was able to find an open file directory used by Charming Kitten and found a treasure trove of information about the group and how it operates. The directory included hours of training videos, detailing how members of the adversary group could infect and exfiltrate data from victims.

A hallmark of Charming Kitten's operations, according to Emerson, was the group's phishing attacks against personal, social media, and webmail accounts to support their espionage and surveillance objectives. Even after their efforts were discovered, Charming Kitten has continued to pounce on new victims.

In March 2019, Microsoft claimed that it significantly disrupted Charming Kitten, taking over 99 domains associated with the group. Emerson noted that in the months and years since, Charming Kitten has just registered new domains and has continued with the same basic tactics.

"This group does not seem to particularly care about public disclosure of their activities like other groups do, possibly ..

Support the originator by clicking the read the rest link below.