February 28, 2020
The Reuters news agency says the Islamic Republic is continuing to try to pry into the email accounts of Iranian dissidents living abroad.
Recently, it reported, Iranian-born German academic Erfan Kasraie received an email allegedly from The Wall Street Journal requesting an interview.
The November 12 message purportedly came from Farnaz Fassihi, a veteran Iranian-American journalist who covers the Middle East. Yet it read more like a fan letter, asking Kasraie to share his “important achievements” to “motivate the youth of our beloved country.”
“This interview is a great honor for me,” the message gushed.
Then a follow-up email instructed Kasraie to enter his Google password to see the interview questions. That was a red flag warning to Kasraie.
The phony request was in reality an attempt to break into Kasraie’s email account. Reuters said, “The incident is part of a wider effort to impersonate journalists in hacking attempts that three cybersecurity firms said they have tied to the Iranian government, which rejected the claim.”
The incidents come to light at a time when the US government has warned of Iranian cyber threats in the wake of the US air strike that killed Major General Qassem Soleymani.
In a report published February 5, the London-based cyber-security company Certfa tied the impersonation of Fassihi to a hacking group nicknamed Charming Kitten, which has long been associated with Iran. Israeli firm ClearSky Cyber Security provided Reuters with documentation of similar impersonations of two media figures at CNN and Deutsche Welle, a German public broadcaster. ClearSky also linked the hacking attempts to Charming Kitten, describing the individuals targeted as Israeli academics or researchers who study Iran. ClearSky declined to give the specific number of people targeted or to name them, citing client confidentiality.
Iran denies operating or supporting any hacking operation. Alireza Miryousefi, the spokesman for the Islamic Republic’s mission to the United Nations, said that firms claiming otherwise “are merely participants in the disinformation campaign against Iran.”
Reuters said it uncovered similar hacking attempts on two other targets, which the two cybersecurity firms, along with a third firm, Atlanta-based Secureworks, said also appeared to be the work of Charming Kitten. Azadeh Shafiee, an anchor for London-based satellite broadcaster Iran International, was impersonated by hackers in attempts to break into the accounts of a relative of hers in London and Prague-based Iranian filmmaker Hassan Sarbakhshian.
Sarbakhshian, who fled the Islamic Republic amid a crackdown that saw the arrest of several fellow photojournalists in 2009, was also targeted with an email that claimed to be from Fassihi. The message asked him to sign a contract to sell some of his pictures to The Wall Street Journal. Sarbakhshian said in an interview that he was suspicious of the message and didn’t respond.
Neither did the ruse fool Kasraie, an academic who frequently appears on television criticizing Iran’s government. “I understood 100 percent that it was a trap,” he said in an interview with Reuters.
That’s not surprising given the hackers’ sloppy tactics. For instance, they missed the fact that Fassihi left the Journal last year for a new job at The New York Times.
Microsoft, which tracks attempts to undermine election security, in October accused Charming Kitten of targeting a US presidential campaign; sources told Reuters at the time that the campaign was Donald Trump’s.
“This activity does align with prior Iranian cyber operations,” said Allison Wikoff, a Secureworks researcher who has tracked Charming Kitten for years.
In early 2019, the United States indicted Behzad Mesri, whom ClearSky has linked to Charming Kitten through emails and social media activity, on charges of recruiting a former female US Air Force intelligence officer to spy on behalf of Iran. Mesri remains at large.
Other impersonated journalists included CNN national security analyst Samantha Vinograd, whose identity was stolen in August and used in attempts to break into email accounts in Israel, ClearSky said. Another was Michael Hartlep, a Berlin-based video journalist who has done freelance assignments for Deutsche Welle and Reuters.
ClearSky found his name on an email inviting recipients to a bogus Deutsche Welle webinar on Iran’s role in the Middle East.
In another case, the hackers appear to have invented a journalist—“Keyarash Navid-pour”—to send out a phony invitation January 4 to an online seminar that it claimed Deutsche Welle would hold about the killing of Soleymani the day before. No such journalist works for Deutsche Welle, said the news organization’s spokesman, Christoph Jumpelt.