According to a cyber security research lab Certfa Iran backed hackers targeted U.S. government officials, think-tank employees and nuclear scientists around the world.
The hackers used sophisticated "Phishing attacks through email or social media and messaging accounts of public figures.” The attackers allegedly also managed to breach two-factor authentication.
According at an AP report Certfa managed to extract a partial list of 77 Yahoo and Gmail addresses accidentally left by hackers on one of their servers.
Certfa researchers allege that the hacking group Charming Kitten is behind this attack because "domain names and servers of this campaign are very similar to the methods" of Charming Kitten. Although the group used Virtual Private Networks to mask their locations Certfa says they managed to trace some of the IP address to Iran.
The list of 77 emails was discovered in November but there are no details as to when the scheme took place. It seems that the hacking goes back to the Obama years, but it is not clear when it ended or if it continued until recently.
Allison Wikoff a researcher at Atlanta-based Secureworks who previously also covered the Iran backed “Mia Ash” campaign came to the same conclusion about the origins of this campaign.
The hackers mimicked the look of login pages of Yahoo and Gmail. Crafting careful spear phishing emails they directed the victims to these pages.
Using the services of Google Sites the hackers were able to give an impression that the users were really on a Google or Yahoo website. Using embedded images in emails the group was able to follow in real time if a user clicked on an email.
This way they were also able the overcome the two-factor authentication security method. When user sent for the authentication password he was directed to another fake site which looked exactly like a Yahoo or Gmail site to enter this code.
Nuclear scientist of Pakistan’s Ministry of Defense, a senior employee of the Research and Training Reactor in Jordan and high-ranking scientist from Syria were also revealed to be targeted.
According to AP, Guy Roberts the U.S. Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs was one of the U.S. officials targeted.
The group also targeted staff of the National Security Council and former Obama officials that were connected to the Iran-Nuclear negotiations. Thirteen U.S. Treasury officials, including the director of the Financial Crimes Enforcement Network which tracks terror financing was also among the targets.
In March of 2018 the Department of Justice issued indictments for nine Iranians for conducting a “massive cyber theft campaign” for the IRGC. Another two indictments were issued in the case of Iranians in ransomware scheme in November which targeted computer systems at hospitals in the United States. Iran has denied charges of the being engaged malicious hacking.