Security Alert APT Charming Kitten Pounces on Medical Researchers


Level 70
Content Creator
Malware Hunter
Aug 17, 2014
Security researchers have linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten.

The campaign—dubbed BadBlood because of its medical focus and the history of tensions between Iran and Israel–aimed to steal credentials of professionals specializing in genetic, neurology and oncology research, according to new research posted online Wednesday from Proofpoint’s Joshua Miller and the Proofpoint Research Team.

This type of targeting represents a departure for Charming Kitten, (also known as Phosphorus, Ajax or TA453), which—due to its believed alignment with Iran’s Islamic Revolutionary Guard Corps (IRGC)–in the past has primarily put dissidents, academics, diplomats and journalists in its crosshairs, researchers said in the report.

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short-term intelligence collection requirement,” Miller and the team wrote in a report. “BadBlood is aligned with an escalating trend of medical research being increasingly targeted by threat actors.”

Indeed, the medical professionals targeted in the latest campaign “appear to be extremely senior personnel” at their respective organizations, researchers noted. Though Proofpoint hasn’t conclusively determined Charming Kitten’s motives for the attacks, it does seem to be a one-off attempt to gather intelligence that potentially can be used in further phishing campaigns, they said.