Moreover, our technical reviews reveal that the individuals, who are involved in this campaign used Virtual Private Networks (VPNs) and proxies with Dutch and French IP addresses to hide their original location. In spite of their efforts, we have uncovered enough evidence to prove that the attackers were using their real IP addresses (i.e 89.198.179[.]103 and 31.2.213[.]18 from Iran during the preparation phase of their campaign).

Also, some domain names and servers of this campaign are very similar to the methods, techniques and targets that been used by Charming Kitten, a group of hackers who are linked to the Iranian government. Consequently, we believe Charming Kitten and the Iranian hacker(s) belonging to this group have returned and launched new cyber attacks against various people around the world and with more focus on Israeli and American citizens.


Conclusion

Phishing attacks are the most popular method of stealing data and hacking account amongst Iranian hackers, but the most significant fact about this campaign is its timing. This campaign launched weeks before 4 November 2018 which is when the U.S. imposed new sanctions on Iran. This campaign tries to collect information by infiltrating the accounts of non-Iranian political figures and authorities who work on economic and military sanctions against Iran.

In other words, hackers who are supported by the Iranian government pick their targets according to policies and international interests for the Iranian government and also where Iran wants to have impact indirectly.

A a result, we propose a series of recommendations to tech companies, policymakers, civil society actors and internet users to effectively lessen the threat of this type of attack and even thwart them.

Our recommendations to tech companies and policy makers:

  • Stop using 2 factor authentication by text plain message/SMS.
  • Start using Security Keys (i.e. YubiKey) for 2 factor authentication for high ranking individuals who have sensitive jobs or activities.
  • Do not use one-tap login verification process.

Our recommendations to civil society and the Iranian diaspora media:

  • Inform employees and colleagues about any phishing threats and encourage them to use Security Keys such as Yubikey for 2 factor authentication and activate Google’s Advanced Protection Program.
  • Always use company and institution email accounts instead of personal email for sensitive communications. Change Sender Policy Framework or SPF6 settings according to the communication policy of the company/organisation such as restricting receiving emails from outside of the working network. For example, G Suite allows admins to block receiving emails from unauthorised address or domains7.
  • Encourage the public to enable 2 factor authentication on their account by mobile apps such as Google Authenticator.

Our recommendations to users:

  • Do not click on unknown links. For reviewing suspicious activities on your account or change the password, instead of clicking on any link, you can go to your “My Account” settings from your email directly which is more safer.
  • Use email encryption such PGP for sensitive emails which prevent hackers reading your emails in the first place.
  • Do not store classified and sensitive information as a plain text in your mailbox.
  • HTTPS being before a domain names in a URL does not mean that the content of a website is secure or trusted – it’s just a secure extension of the HTTP protocol. Do not forget many phishing websites are currently operating under HTTPS protocol too.

IOCs

  • 178.162.132[.]65
  • 190.2.154[.]34
  • 190.2.154[.]35
  • 190.2.154[.]36
  • 190.2.154[.]38
  • 46.166.151[.]211
  • 51.38.87[.]64
  • 51.38.87[.]65
  • 51.68.185[.]96
  • 51.38.107[.]113
  • 95.211.189[.]45
  • 95.211.189[.]46
  • 95.211.189[.]47
  • 213.227.139[.]148
  • 54.37.241[.]221
  • 54.38.144[.]250
  • 54.38.144[.]251
  • 54.38.144[.]252
  • 85.17.127[.]172
  • 85.17.127[.]173
  • 85.17.127[.]174
  • 85.17.127[.]175
  • 89.198.179[.]103
  • 31.2.213[.]18
  • accounts-support[.]services
  • broadcast-news[.]info
  • broadcastnews[.]pro
  • com-identifier-servicelog[.]info
  • com-identifier-servicelog[.]name
  • com-identifier-userservicelog[.]com
  • confirm-session-identification[.]info
  • confirm-session-identifier[.]info
  • confirmation-service[.]info
  • customer-recovery[.]info
  • customize-identity[.]info
  • document-share[.]info
  • document.support-recoverycustomers[.]services
  • documentofficupdate[.]info
  • documents.accounts-support[.]services
  • documentsfilesharing[.]cloud
  • email-delivery[.]info
  • mobile-sessionid.customize-identity[.]info
  • mobiles-sessionid.customize-identity[.]info
  • my-scribdinc[.]online
  • myyahoo.ddns[.]net
  • notificationapp[.]info
  • onlinemessenger.com-identifier-servicelog[.]name
  • podcastmedia[.]online
  • recoveryusercustomer[.]info
  • session-management[.]info
  • support-recoverycustomers[.]services
  • continue-session-identifier[.]info
  • mobilecontinue[.]network
  • session-identifier-webservice.mobilecontinue[.]network
  • com-messengersaccount[.]name
  • invitation-to-messenger[.]space
  • confirm-identification[.]name
  • mobilecontinue[.]network
  • mobile.confirm-identification[.]name
  • services.confirm-identification[.]name
  • mobile-messengerplus[.]network
  • confirm.mobile-messengerplus[.]network
  • com-messengercenters[.]name
  • securemail.mobile-messengerplus[.]network
  • documents.mobile-messengerplus[.]network
  • confirm-identity[.]net
  • identifier-sessions-mailactivityid[.]site
  • activatecodeoption.ddns[.]net
  • broadcastpopuer.ddns[.]net
  • books.com-identifier-servicelog[.]name
  • mb.sessions-identifier-memberemailid[.]network
  • sessions-identifier-memberemailid[.]network
  • sessions.mobile-messengerplus[.]network
  • confirm-verification-process[.]systems
  • accounts.confirm-verification-process[.]systems
  • broadcastnews.ddns[.]net
  • account-profile-users[.]info
  • us2-mail-login-profile[.]site
  • us2.login-users-account[.]site
  • login-users-account[.]site
  • live.account-profile-users[.]info
  • signin.account-profile-users[.]info
  • aol.account-profile-users[.]info
  • users-account[.]site

Footnotes:

  1. https://s.certfa.com/q1514c
    https://s.certfa.com/eNnnag
    https://s.certfa.com/ur93p2 
  2. ClearSkye Cyber Security (2018), “Charming Kitten, Iranian cyber espionage against human rights activists, academic researchers and media outlets – and the HBO hacker connection”. Accessed November 15, 2018. https://s.certfa.com/1ulIxk 
  3. Sites. Accessed November 23, 2018. https://sites.google.com/ 
  4. Firefox Screenshots. Accessed November 15, 2018. https://screenshots.firefox.com/ 
  5. VirusTotal Graph. Accessed November 25, 2018. https://s.certfa.com/OgQUSC 
  6. Sender Policy Framework or SPF is an email authentication method to detect forged sender addresses in emails. SPF allows the recipient to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain’s administrators. 
  7. G Suite Administrator Help (2018), “Restrict messages to authorized addresses or domains”. Accessed November 29, 2018. https://support.google.com/a/answer/2640542?hl=en