Iranian cyber spies are targeting dissidents in Germany, warns intelligence service
Germany’s domestic intelligence service published a cyber espionage warning on Thursday that Iranian dissident organizations and individuals in the country were being targeted by a suspected state-sponsored threat group.
Officially known as the Federal Office for the Protection of the Constitution (BfV), the agency reported it had found concrete attempts by the group known as Charming Kitten to target the Iranian opposition and exiles based in Germany.
Similar to a warning issued by Britain’s National Cyber Security Centre in January, the BfV said the hackers were using sophisticated social engineering techniques and false personals tailored to victims in order to build a rapport and compromise their targets.
Charming Kitten has been described as state-sponsored by numerous specialist companies — including Google, Recorded Future and Proofpoint — on the basis of its apparent intelligence-gathering rather than financial motivation, although the BfV did not explicitly accuse the Iranian regime of supporting it.
The German agency’s publication describes the nature of the social engineering activities, designed to build a rapport with their victims, before often sending a link to an online chat that leads to a disguised credential harvesting page.
Last December, Human Rights Watch said that Charming Kitten was behind a well-resourced and ongoing international cyber espionage campaign that targeted a member of their staff by having them enter their login credentials into a webpage that the hackers controlled.
Among the industry research linked to by both the NCSC's advisory and the new warning from the BfV is work by CERTFA (the ‘Computer Emergency Response Team in Farsi’), a mostly anonymous collective that tracks Iranian cybercriminals and state-sponsored hackers targeting Iranian citizens around the world.
Last year, the head of MI5, the U.K.’s domestically-focused security service which takes the lead on counter-terrorism and counter-espionage, warned that there had been at least 10 potential threats by Iran to "kidnap or even kill" British or U.K.-based people who were perceived as enemies of the regime.
It is not known what links, if any, these threats share with the Charming Kitten espionage campaign, but Amin Sabeti — the founder of CERTFA — told The Record he believed that Charming Kitten was linked to the IRGC and that he wouldn't be surprised to read a news story announcing that one of the campaign's targets had been killed.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.