Microsoft Hurts Charming Kitten (aka the APT35 Iran Hacking Group)
Microsoft has damaged a hacking group thought to be run by the Iranian military. APT35—also known as Charming Kitten, Ajax and Phosphorus—has now lost control of 99 internet domains it was using in spear-phishing attacks on journalists and activists.
Redmond’s finest had to ask a court to grant it control of the malicious Purr-sian domains, such as outlook-verify.net. Now it is able to prevent web users from being phished and can collect valuable intelligence on APT35’s naughty tactics.
Go back to sleep, tiny cat. In today’s SB Blogwatch, we destroy your furniture.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: two-minute paper.
Me? Ow.
What’s the craic? Paul Thurrott—“Microsoft Takes Control of 99 Websites Linked to Hacker Group”:
Microsoft announced this week that it was granted a court order giving it control of 99 websites tied to an Iranian hacker group. … “Phosphorus” is also known as APT 35, Charming Kitten, and the Ajax Security Team.
…
Microsoft has been tracking it since 2013. The group is known to have infiltrated the computer systems of activists, journalists, businesses, and governments and stolen information.
…
Microsoft credits other technology firms, including Yahoo and various domain listing companies, for partnering with it on its investigation.
Want more? Here’s Zack Whittaker—Microsoft sues:
Microsoft … applied to the court in order to take control of 99 websites used by the hacker group. … The court granted the motion earlier this month but it was unsealed this week.
…
[It] allowed Microsoft to … host the domains on Microsoft’s own servers … and redirect malicious traffic safely into a … sinkhole.
…
APT 35 … is believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage. The hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.
But how? Microsoft’s Tom Burt unveils “New steps to protect customers from hacking”:
Microsoft … has executed to disrupt cyberattacks from a threat group we call Phosphorus. … Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013. Its activity is usually designed to gain access to the computer systems of businesses and government agencies and steal sensitive information.
Its targets also include activists and journalists – especially those involved in advocacy and reporting on issues related to the Middle East. [It uses] social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems.
…
The action … enabled us to take control of websites that are core to its operations. [It] is similar to cases we’ve filed against another threat group called Strontium. We have used this approach 15 times to take control of 91 fake websites.
Stronti-who? Dina Bass notes some more context—“Microsoft Takes on Another Hacking Group”:
Strontium [is] linked to the Russian military.
…
Facebook Inc. said … that it has removed hundreds of pages, groups and accounts connected to Iran for impersonating political groups and media organizations in an attempt to influence political thought in countries around the world.
Sounds bad. Here’s a line from Jacqueline Thomsen on suspected Iranian hackers:
Charming Kitten … uses spear-phishing attacks on its targets, tricking users into clicking a link that then distributes malware and gives hackers access to the user’s systems and networks. The same technique was used in the 2016 hack of John Podesta, then the chairman of Democratic nominee Hillary Clinton’s presidential campaign.
Attacking activists and journalists is bad enough, but might this border on warfare? Here’s xenobyte:
It’s … likely that they were seeking to … gain a foothold inside vital companies, energy distribution and other essential systems. They could then sabotage their operation as an act of (covert) war.
This is pretty much SOP for military intelligence services worldwide.
So we need more sanctions? Careful with that ax Eugene, as boomboomsubban seems to say:
It’s important to remember that US actions have consequences. … No matter how poorly you think the Iranian government is behaving, our actions toward their country have led to hundreds of thousands of dead Iranians over the years. … Further intrusion will likely cause tremendous suffering for their citizens.
…
The US provided arms to both sides of the Iraq-Iran war, which killed hundreds of thousands of Iranians. This is in addition to a host of other actions the US had taken that led to more death.
…
Decades of the US backed regime is what led to the Iranian revolution, which was just the tail end of Western powers looting Iran. A return to those conditions is what is still required of Iran to escape sanctions.
Back to the matter in hand. Kevin Poulsen has been digging through the court filing, and notices one particular screenshot:
How did Microsoft get access to the dashboard for Iran’s spear phishing campaigns? Was this thing just sitting open with no authentication?
And Andrew—@QW5kcmV3—is entertained:
It does entertain me that the Iranian APTs are numbered in order of skill, even if it was not on purpose. APT33, APT34, APT35, and APT39. APT39 is the most innovative out of these groups in my opinion. They always have nice little surprises waiting, and they resist hard.
…
Every time I see an adversary resisting, I imagine a cat trying not to get dunked in a body of water. … It’s kind of funny … but obviously only after it’s done. Like no, this is happening. Don’t fight it.
…
I guess the takeaway for offense is if you’re going to pretend to be a powerful corporation, eventually that powerful corporation will come after your C2 domains. Great work all around. Emphasizes a point though. Don’t piss off surveillance. #RedLessons
Meanwhile, LordHighExecutioner makes the gag we were surely all thinking about:
99 domains from Iran on the net.
Take one down and pass it around,
98 domains from Iran on the net.
98 domains from Iran on the net …
And Finally:
This AI Learned to “Photoshop” Human Faces
Adversarial networks FTW!
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Luis Wilker Perelo via (Pixabay)
