Group said to be behind attempted campaign hack has also gone after cybersecurity researchers

An Iran-linked hacking group that targeted a U.S. presidential campaign in recent months also has a history of trying to compromise cybersecurity analysts who have exposed the hackers’ operations, the analysts told CyberScoop.

The hackers have previously sent researchers at Israeli company ClearSky Cyber Security malware-laced emails purporting to be from an antivirus company, according to Ohad Zaidenberg, the company’s senior cyber intelligence researcher.  The hacking group, which analysts say works in support of Iranian interests, also set up a phishing website mimicking that of ClearSky and a web-mail page “built to attack our clients,” Zaidenberg told CyberScoop.

ClearSky flagged some of the activity last year, saying the hackers had failed to breach the company or its clients. But the attackers appear to be very persistent. “They tried to attack me personally and ClearSky as well many times,” Zaidenberg said. “They don’t like us.”

The episode highlights the lengths to which the group might go to try to infiltrate the cybersecurity specialists who track them. And it is indicative of what has been a busy few months for the Iranian computer operatives, known to researchers as Charming Kitten, APT35, or Phosphorus.

Last week, Microsoft said the hackers had tried to break into at least one email account associated with an unnamed U.S. presidential campaign, along with current and former U.S. government officials, journalists, and certain Iranians living abroad. While Microsoft’s report covered a lot of activity (the company said the hackers had targeted 241 email accounts) it also encouraged outside analysts to come forward with their own Charming Kitten data.

Despite Charming Kitten’s penchant for attacking them, ClearSky said this week they’ve found more of the group’s phishing sites. These page lures try to trick Facebook and Twitter users into handing over their passwords. The sites, which the researchers discovered in the last week, are made using WordPress or CrunchPress, a related website tool, and have directories that store logos used to impersonate the target organization. In addition to the targets named by Microsoft, Charming Kitten has also been going after academic researchers who focus on Iran along with activists opposed to the Iranian regime, according to ClearSky.

For some analysts, the latest Charming Kitten activity is a reminder of the group’s persistence and maturation.

John Hultquist, director of intelligence analysis at cybersecurity company FireEye, said the Iranian hacking group had “come a long way” in honing its tradecraft in the five years his company has been tracking the hackers. A group that once had “rudimentary” techniques has been “using a lot of off-the-shelf tools and frameworks to improve their capability,” Hultquist told CyberScoop.