Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research
December 2022 by ProofPoint
Cybersecurity researchers at Proofpoint have released new threat intelligence into Iranian state-aligned threat actor TA453 (AKA Charming Kitten, PHOSPHORUS, APT42), showing how the group has deviated from its traditional phishing techniques and is targeting new victims.
The research has found that:
• TA453 has engaged in campaigns that deviate from the group’s expected phishing techniques and target victimology, employing the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
• While most campaigns focused on collecting intelligence, some activity also indicates a possible directive to support covert and even kinetic operations by the IRGC, including targeting former military personnel with intimidation tactics and kidnap threats. The group was also seen supporting an IRGC murder-for-hire plot.
• TA453 has leveraged one persona in particular, ‘Samantha Wolf’ for confrontational social engineering lures intended to use a target’s sense of uncertainty and fear to get them to respond to the threat actor’s emails. This persona targeted US and European politicians and government entities, a Middle Eastern energy company, and a US-based academic.
Sherrod DeGrippo: “The Iran-aligned threat actor TA453 has been quite busy over the past few years. In 2022 alone Proofpoint researchers have observed this group using a social engineering technique we’ve dubbed Multi-Persona Impersonation, and now we’re sharing our observations on campaigns where TA453 deviated from their standard operations. They are attacking new targets with new techniques and with more hostile intent. All this serves as a window into aims of the Islamic Revolutionary Guard Corps (IRGC) and the flexible mandate under which TA453 works.”