Organization:Charming Kitten

From HandWiki
Jump to: navigation, search
Charming Kitten
Модный мишка
Formationc. 2004–2007[1]
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Middle East
MethodsZero-days, spearphishing, malware, Social Engineering, Watering Hole
At least 5
Official language
Parent organization
AffiliationsRocket Kitten
Formerly called
Turk Black Hat
Ajax Security Team

Charming Kitten (other aliases include APT35 (by Mandiant), Phosphorus (by Microsoft),[1] Ajax Security (by FireEye),[2] NewsBeef (by Kaspersky,[3]))[4] is a cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

On December 15, 2017 the group was designated by FireEye as a nation state based advanced persistent threat, regardless of the lack of its sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware, and solidifying[clarification needed] their campaigns.[5]

The group has since been known to use phishing to impersonate company websites,[6] as well as fake accounts and fake DNS domains to phish users' passwords.


Witt Defection (Early 2013)

In 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica Witt defected to Iran knowing she might incur criminal charges by the United Stages for doing so.[citation needed] Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.[citation needed]

HBO cyberattack (2017)

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched[by whom?] on the grounds that confidential information was being leaked. A conditional statement by a hacker going by alias Skote Vahshat said that if money was not paid, scripts of television episodes, including episodes of Game of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.[7] HBO has since stated that it would take steps to make sure that they would not be breached again.[8]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information. [9]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The Iranian government denied any involvement.[10][11]

Second Indictment (2019)

Witt was officially charged by a Washington, D.C. based jury on February 19, 2019.[12] Four others including the HBO hacker were also charged.[citation needed]

A court order was issued[by whom?] authorizing Microsoft to take ownership of 99 DNS domains that were registered by the group. Microsoft has subsequently said that it plans to work to reduce the cyberattack rate significantly.[13]

2020 Election interference attempts (2019)

See also


  1. "Microsoft uses court order to shut down APT35 websites". March 27, 2019. 
  2. "Ajax Security Team lead Iran-based hacking groups". May 13, 2014. 
  3. "Freezer Paper around Free Meat". 
  4. Bass, Dina. "Microsoft Takes on Another Hacking Group, This One With Links to Iran". 
  5. "OVERRULED: Containing a Potentially Destructive Adversary". 
  6. "Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign". July 3, 2018. 
  7. "The HBO hack: what we know (and what we don't) - Vox". 
  8. Petski, Denise (July 31, 2017). "HBO Confirms It Was Hit By Cyber Attack". 
  9. "HBO Hacker Was Part of Iran's "Charming Kitten" Elite Cyber-Espionage Unit". 
  10. "Iranian Hackers Target Nuclear Experts, US Officials". 
  11. Satter, Raphael (December 13, 2018). "AP Exclusive: Iran hackers hunt nuclear workers, US targets". 
  12. "Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues". February 13, 2019. 
  13. "Microsoft seizes 99 domains owned by Iranian state hackers". March 28, 2019.