Charming Kitten

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Charming Kitten
Модный мишка
Formationc. 2004–2007[1]
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Middle East
MethodsZero-days, spearphishing, malware, Social Engineering, Watering Hole
At least 5
Official language
Parent organization
AffiliationsRocket Kitten
Formerly called
Turk Black Hat
Ajax Security Team

Charming Kitten (other aliases include APT35 (by Mandiant), Phosphorus (by Microsoft),[1] Ajax Security (by FireEye),[2] NewsBeef (by Kaspersky,[3]))[4] is a cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

On December 15, 2017 the group was designated by FireEye as a nation state based advanced persistent threat, regardless of the lack of its sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware, and solidifying[clarification needed] their campaigns.[5]

The group has since been known to use phishing to impersonate company websites,[6] as well as fake accounts and fake DNS domains to phish users' passwords.


Witt Defection (Early 2013)[edit]

In 2013, former United States Air Force technical sergeant and military intelligence defense contractor Monica Witt defected to Iran knowing she might incur criminal charges by the United Stages for doing so.[citation needed] Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.[citation needed]

HBO cyberattack (2017)[edit]

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched[by whom?] on the grounds that confidential information was being leaked. A conditional statement by a hacker going by alias Skote Vahshat said that if money was not paid, scripts of television episodes, including episodes of Game of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.[7] HBO has since stated that it would take steps to make sure that they would not be breached again.[8]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information. [9]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015 Iran Nuclear Deal. The Iranian government denied any involvement.[10][11]

Second Indictment (2019)[edit]

Witt was officially charged by a Washington, D.C. based jury on February 19, 2019.[12] Four others including the HBO hacker were also charged.[citation needed]

A court order was issued[by whom?] authorizing Microsoft to take ownership of 99 DNS domains that were registered by the group. Microsoft has subsequently said that it plans to work to reduce the cyberattack rate significantly.[13]

2020 Election interference attempts (2019)[edit]

See also[edit]


  1. ^ "Microsoft uses court order to shut down APT35 websites". CyberScoop. March 27, 2019.
  2. ^ "Ajax Security Team lead Iran-based hacking groups". Security Affairs. May 13, 2014.
  3. ^ "Freezer Paper around Free Meat".
  4. ^ Bass, Dina. "Microsoft Takes on Another Hacking Group, This One With Links to Iran".
  5. ^ "OVERRULED: Containing a Potentially Destructive Adversary". FireEye.
  6. ^ "Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign". Security Affairs. July 3, 2018.
  7. ^ "The HBO hack: what we know (and what we don't) - Vox".
  8. ^ Petski, Denise (July 31, 2017). "HBO Confirms It Was Hit By Cyber Attack".
  9. ^ "HBO Hacker Was Part of Iran's "Charming Kitten" Elite Cyber-Espionage Unit". BleepingComputer.
  10. ^ "Iranian Hackers Target Nuclear Experts, US Officials". Dark Reading.
  11. ^ Satter, Raphael (December 13, 2018). "AP Exclusive: Iran hackers hunt nuclear workers, US targets". AP NEWS.
  12. ^ "Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues". February 13, 2019.
  13. ^ "Microsoft seizes 99 domains owned by Iranian state hackers". News @ March 28, 2019.