An Iranian cyber-espionage group attempted to pose as one of the cyber-security firms that exposed its previous hacking campaigns in an effort to spear-phish people interested in reading reports about it.

The group —also known as an advanced persistent threat (APT) in infosec jargon— is known by security experts under the codenames of Charming Kitten, Newscaster, or Newsbeef.

Iranian APT registered lookalike domain

According to Israeli cyber-security firm ClearSky Security, the company says the Iranian APT copied its official website and hosted on a lookalike domain at clearskysecurity.net (the official ClearSky website is located at ClearSkySec.com).

"Charming Kitten built a phishing website impersonating our company," ClearkSky said yesterday. "They copied pages from our public website and changed one of them to include a 'sign in' option with multiple services."

ClearSky fake website

"These sign-in options are all phishing pages that would send the victim's credentials to the attackers," ClearSky said. "Our legitimate website does not have any sign in option."

Clone website was never finished nor used

At the time ClearSky researchers spotted the fake website, the Iranian group was still working on the site.

"It seems that the impersonating website is still being built because some of the pages have error messages in them," ClearSky said.

Furthermore, the group was hosting the fake clearskysecurity.net domain on an older server that ClearSky had ousted on June 12. ClearSky says it found web pages from that older campaign hosted on the clearskysecurity.net domain, a clear sign that the Charming Kitten APT was behind the fake website.

As the website was not finished, ClearSky doesn't believe the Iranian hackers managed to phish anyone yet. The website didn't live long, as it was marked as a suspicious site via the Safe Browsing API soon after its discovery, and was taken down entirely after a few hours.

Charming Kitten is one of Iran's oldest APTs

The Charming Kitten APT is one of the first Iran-based nation-state hacking groups detected in the wild. The group has been very active in recent years, being behind the Saffron Rose, Newscaster, StoneDrill, and many other hacking campaigns.

The group has historically targeted Israeli and US targets and has primarily used spear-phishing tactics to do so. It deviated from its tactics last year when it created the StoneDrill wiper.

Behzad Mesri, the Iranian national charged in the US with hacking HBO and stealing Game Of Thrones files is believed to have been part of the Charming Kitten APT.

Charming Kitten is one of Iran's many cyber-espionage groups, which also include Rocket Kitten (which many security firms consider to be Charming Kitten 2.0), CopyKitten, OilRig, and Magic Hound.

Initially, these hacking groups were made up of military personnel and private sector contractors, and each group operated separately. But in recent years, the lines between these groups have started to blur, as they began to share the same operational resources, such as phishing toolkits, servers, and most likely their personel.

Related Articles:

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

State-Sponsored Actors Focus Attacks on Asia