Behzad Mesri

Behzad Mesri, the Iranian national the US has accused of hacking HBO this year, is part of an elite Iranian cyber-espionage unit known in infosec circles as Charming Kitten, according to a report released yesterday by Israeli firm ClearSky Cybersecurity.

Known as an APT (Advanced Persistent Threat), this group has been active since 2013 and is believed to be operating under the protection of the local Iranian government.

The group's activities have been first exposed in March 2014, when US cyber-security firm FireEye published a report entitled "Operation Saffron Rose."

Charming Kitten —also tracked under various codenames such as Newscaster, NewsBeef, Flying Kitten, and the Ajax Security Team— was one of the most active Iran-based cyber-espionage units at the time, but once the FireEye report went public, the group dismantled its infrastructure and went dormant.

Subsequent research published by Iran Threats and ClearSky show that parts of the old Charming Kitten infrastructure, such as malware and credential theft resources, have been reused by another Iranian cyber-espionage unit named Rocket Kittens, and possibly more.

Various experts have pointed out that most of these groups are most likely operating under the protection and guidance of Iranian military, hence the reason why some resources are used not by one or two, but multiple APTs.

According to the official indictment, US officials said Mesri worked for the Iranian military, but that he also lived a separate life as a hacker. Evidence shows that Mesri defaced hundreds of websites and most likely carried out the HBO hack outside of his role in the Charming Kittens operations, most of which have targeted Iranian dissidents.

Mesri had connections to other Charming Kitten members

The 59-page ClearSky report released yesterday shows a web of connections between Mesri and other members of the Charming Kitten espionage unit, including connections to a hacktivist group known as the Turk Black Hat Security hacking group, where Mesri operated under the pseudonym of "Skote Vahshat," together with other persons linked to Iranian APTs.

Besides Charming Kitten and the subsequent Rocket Kitten incarnation, Iran is home to other APT groups such as OilRig [1, 2], CopyKittens, and Magic Hound (Cobalt Gypsy, Timberworm), all very active.

In fact, Iranian actors are some of the most active groups around, albeit far from the most sophisticated. Their usual targets are businesses, human rights groups, individuals, and nearby governments of interest or at odds with the Iranian government — such as Saudi Arabian companies and government agencies, or Israeli military and government targets.

According to multiple reports, the Charming Kittens group of which Mesri is suspected of being a member, operated using mundane spear-phishing and watering hole attacks, and targeted individuals using made-up organizations and people, fake news sites, or by impersonating real companies.

The group was not sophisticated like US, Chinese, or Russian counterparts, but persisted with attacks until they got access to their targets' email inbox and social media accounts, most likely to gather information on a person's past or upcoming plans.

HBO hack was Mesri acting alone

The current thinking is that Mesri may have conducted the HBO hack and subsequent $6 million extortion attempt separate from Charming Kitten operations.

The HBO hack involved repeated contact with media organizations in order to promote the hack and put pressure on HBO in paying a ransom. On the other hand, Charming Kitten ops were never financially motivated, had an espionage and intelligence-gathering component, and have always tried to remain under the radar as much as possible.

Mesri remains at large in Iran. Iranian officials have not responded to the US charging one of their military personnel.

Related Articles:

Iranian Hackers Charged in March Are Still Actively Phishing Universities

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

Domestic Kitten APT Operates in Silence Since 2016

White-Hats Go Rogue, Attack Financial Institutions

Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack