Hackers with ties to the Iranian government targeted officials from other countries involved in implementing sanctions, as well as activists and journalists, with a phishing campaign, according to a report from London-based cybersecurity group Certfa.
The targets included atomic scientists and US Treasury officials, as well as supporters and detractors of the Iran nuclear deal rolled back this year by President Donald Trump, according to the AP, which earlier reported on the research. The campaign, which Certfa said was run by a hacking group nicknamed Charming Kitten, started four weeks before the Trump administration reinstated sanctions against Iran in November, the researchers found.
"In other words, hackers who are supported by the Iranian government pick their targets according to policies and international interests for the Iranian government," Certfa researchers wrote in their report.
The Iranian government didn't immediately respond to a request for comment.
The reported campaign underscores the degree to which government-sponsored hackers still rely on tricking email users into handing over their email usernames and passwords. The alleged phishing campaign aimed to bait targets into handing over their credentials and then went further, asking victims to provide one-time codes, such as texted and app-generated codes, used as a second form of authentication.
To add a look of legitimacy to their campaign, the hackers in some cases directed victims to open websites hosted on Google Sites pages before entering their usernames and passwords, Certfa said. The researchers said they notified Google of the pattern, and Google deactivated the hackers' pages hosted on the company's service. Google didn't immediately respond to a request for comment.
The AP reached out to targets identified in Certfa's research and learned many of them had recently received phishing messages.
It isn't clear how many victims fell for the phishing scheme, and it appears the hackers were discovered because they made a basic error. According to the AP, they left a database of information unsecured on the internet, allowing researchers to find it and extract details of their phishing campaign.