The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker

Presented at Black Hat USA 2021, Aug. 4, 2021, 1:30 p.m. (40 minutes).

When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation.

Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as "Charming Kitten". This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims' most private chats, emails, and even photos.

In our talk, we will reveal how an ITG18 operator set up their machine and various personas, hence 9 lives, to run adversarial operations and manage stolen data. We will go over TTPs of an ITG18 campaign and expose suspected initial access vectors for the audience to better understand how ITG18 compromises targets. Additionally, we will highlight ITG18's new Android malware that they use to infect victims they follow on a daily basis. We named this code "LittleLooter" which we will discuss at the conference for the first time.

To get a better sense of ITG18 operational cadence, we will show two of the ITG18 training videos discovered during our research. These specifically cover how ITG18 configures the compromised personal email accounts of their victims to maintain access to their accounts without being detected, how ITG18 exfils information from their victims and how they expand on the compromises with the stolen data.

We will close this talk with some thoughts about ITG18's future operations, including how they respond to public disclosure and how organizations and individuals can better defend themselves against this group.


Presenters:

  • Allison Wikoff - Senior Strategic Cyber Threat Analyst, IBM X-Force
    Allison Wikoff is a senior strategic cyber threat analyst with IBM X-Force Threat Intelligence Services. She has nearly 20 years of experience working as a network defender, incident responder, intelligence analyst and threat researcher. The focus of the latter half of Allison's career has been hunting and researching nation-state cyber activity with a focus on Iran. Her other research interests include emerging threats and threat actor mistakes. She holds numerous industry certifications and an advanced degree from Columbia University where she frequently guest lectures for several information security-focused graduate courses.
  • Richard Emerson - Senior Threat Hunt Analyst, IBM X-Force
    Richard Emerson is a senior threat hunt analyst with IBM Security X-Force Threat Intelligence. He has 8 years of experience in the public and private sector tracking a variety of threat actors operating in the cyber domain. Since joining IBM X-Force, Richard has increasingly focused his research on cyber actors operating on behalf of the Iranian government, including helping investigate the Shamoon3 and ZeroCleare attacks. Richard holds a dual degree from American University, as well as maintains industry certifications.

Links:

Similar Presentations: