Iranian hackers target nuclear officials and US federal government

A recent report by cybersecurity group Certfa identified Charming Kitten, an Iranian hacking group likely backed by the Islamic Republic, is targeting nuclear experts, US officials, and government contractors. The group uses phishing tactics to gain access to email accounts. 

Raphael Satter/AP
Certfa researchers Nariman Gharib (l.) and Amin Sabeti work in a London cafe on Dec. 7. A recent Certfa report finds that Iranian hacking group Charming Kitten is targeting nuclear experts and US officials.

As President Trump re-imposed harsh economic sanctions on Iran last month, hackers scrambled to break into personal emails of American officials tasked with enforcing them, The Associated Press has found – another sign of how deeply cyberespionage is embedded into the fabric of US-Iranian relations.

The AP drew on data gathered by the London-based cybersecurity group Certfa to track how a hacking group often nicknamed Charming Kitten spent the past month trying to break into the private emails of more than a dozen US Treasury officials. Also on the hackers' hit list: high-profile defenders, detractors, and enforcers of the nuclear deal struck between Washington and Tehran, as well as Arab atomic scientists, Iranian civil society figures, and DC think tank employees.

"Presumably, some of this is about figuring out what is going on with sanctions," said Frederick Kagan, a scholar at the American Enterprise Institute who has written about Iranian cyberespionage and was among those targeted.

Mr. Kagan said he was alarmed by the targeting of foreign nuclear experts.

"This is a little more worrisome than I would have expected," he said.

The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet last month. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to the AP for further analysis. Although those addresses likely represent only a fraction of the hackers' overall effort – and it's not clear how many of the accounts were successfully compromised – they still provide considerable insight into Tehran's espionage priorities.

"The targets are very specific," Certfa researcher Nariman Gharib said.

In a report published Thursday, Certfa tied the hackers to the Iranian government, a judgment drawn in part on operational blunders, including a couple of cases where the hackers appeared to have accidentally revealed that they were operating from computers inside Iran. The assessment was backed by others who have tracked Charming Kitten. Allison Wikoff, a researcher with Atlanta-based Secureworks, recognized some of the digital infrastructure in Certfa's report and said the hackers' past operations left little doubt they were government-backed.

"It's fairly clear-cut," she said.

Calls to Iranian officials were not returned late Wednesday, the beginning of the weekend in the country.

Iran has previously denied responsibility for hacking operations, but an AP analysis of its targets suggests that Charming Kitten is working in close alignment with the Islamic Republic's interests. The most striking among them were the nuclear officials – a scientist working on a civilian nuclear project for Pakistan's Ministry of Defense, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha, and a high-ranking researcher at the Atomic Energy Commission of Syria.

The trio suggested a general interest in nuclear technology and administration. Others on the hit list – such as Guy Roberts, the US Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs – pointed to an eagerness to keep track of officials charged with overseeing America's nuclear arsenal.

"This is something I've been worried about," Mr. Roberts said when alerted to his presence on the list.

Still more targets are connected to the Iran deal – a 2015 pact negotiated by former President Barack Obama's administration and other world powers that called for Tehran to curb its uranium enrichment in exchange for the lifting of international sanctions. Mr. Trump tore up the deal in May over the objections of most of America's allies and has re-imposed a series of punishing restrictions on Iran since.

One of Charming Kitten's targets was Andrew J. Grotto, whose tenure on the US National Security Council straddled the Obama and Trump administrations and who has written about Iran's nuclear ambitions.

Jarrett Blanc, a US State Department official involved in the implementation of the nuclear deal under Obama, was also on the list. He said news of his targeting was no shock.

"I've retained contact with Iranian counterparts since leaving government," he said. "I'd be very surprised if there were not Iranian groups trying to hack into my various email accounts."

Like the Russian hackers who have chased after America's drone, space, and submarine secrets, the list indicates that Iranian spies were also interested in the world of US defense companies. One of those targeted is a senior director of "breakthrough technology" at the aerospace arm of Honeywell International Inc., the New Jersey-based industrial conglomerate; another is a vice president at Virginia-based Science Applications International Corp., a prominent Pentagon contractor.

Honeywell said it was aware that one of its employees had their personal account "exposed," adding that there was no evidence that the company's network was compromised. SAIC said it found no trace of any hacking attempt against its employee's account.

There were Iranian targets, too, including media workers, an agronomist, and a senior employee of the country's Department of Environment – a possible sign that Tehran's crackdown on environmentalists, which began earlier this year, continues apace.

Hacking has long been a feature of the tense relationship between the United States and Iran, whose militant brand of Shia Islam has challenged American interests in the Middle East since 1979.

It was against Iran that US and Israeli spies are said to have deployed the pioneering, centrifuge-rattling computer worm dubbed Stuxnet in a bid to sabotage the country's uranium enrichment capabilities. Iranian hackers in turn are blamed for denial of service assaults on American banks and computer-wrecking cyberattacks in Saudi Arabia, Iran's regional archrival.

The Charming Kitten campaign uncovered by Certfa is far less sophisticated, generally relying on a password-stealing technique called phishing. Two Nov. 17 emails provided to the AP by Jim Sisco of Enodo Global Inc., a Virginia-based risk advisory firm that was targeted by Charming Kitten, mimic the look and feel of Gmail security alerts, a technique used by hackers across the globe.

An analysis of Certfa's data shows the group targeted at least 13 US Treasury employees' personal emails, including one belonging to a director at the Financial Crimes Enforcement Network, which fights money laundering and terror financing, and one used by the Iran licensing chief at the Office of Foreign Asset Control, which is in charge of enforcing US sanctions. But a few employees' LinkedIn profiles referenced back office jobs or routine tax work.

That suggested "a fairly scattershot attempt," said Clay Stevenson, a former Treasury official who now consults on sanctions and was himself targeted by Charming Kitten.

Others' experience suggests a more professional effort.

Georgetown University professor and South Asia security expert Christine Fair said she had only recently returned from a conference in Afghanistan attended by Iranian officials and a visit to the Iranian border when she learned she was in the hackers' sights.

"The timing is uncanny," she said.

Another Charming Kitten target was an intern working for the Foundation for Defense of Democracies, a Washington think tank that has been one of the Iran deal's fiercest critics. How the intern – whose email isn't public and whose name appears nowhere on the organization's website – crossed the hackers' radar is not clear. The foundation issued a statement calling the revelation "yet another indicator that Iran must be viewed as a nefarious actor in all theatres in which it operates."

Kagan, the scholar, said most signs pointed to a serious, state-backed operation.

"It doesn't look like freelancers," he said.

This story was reported by The Associated Press. Monika Mathur and Desmond Butler in Washington contributed to this report.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Iranian hackers target nuclear officials and US federal government
Read this article in
QR Code to Subscription page
Start your subscription today