Charming Kitten, also calledAPT35 (byMandiant),Phosphorus orMint Sandstorm (byMicrosoft),^[1]Ajax Security (byFireEye),^[2] andNewsBeef (byKaspersky^[3][4]), is anIranian governmentcyberwarfare group, described by several companies and government officials as anadvanced persistent threat (APT).

The United StatesCybersecurity and Infrastructure Security Agency (CISA) has identified Charming Kitten as one of several Iranian state-aligned actors that targetcivil society organizations, including journalists, academics, and human rights defenders, in the United States, Europe, and the Middle East, as part of efforts to collect intelligence, manipulate discourse, and suppress dissent.^[5]

The group is known to conductphishing campaigns that impersonate legitimate organizations and websites, using fake accounts and domains to harvest user credentials.^[6]

In 2013, former United States Air Forcetechnical sergeant and military intelligence defense contractorMonica Witt defected to Iran^[7] knowing she might incur criminal charges by the United States for doing so.^{[citation needed]} Her giving of intelligence to the government of Iran later caused Operation Saffron Rose, a cyberwarfare operation that targeted US military contractors.^{[citation needed]}

In 2017, following a cyberattack onHBO, a large-scale joint investigation was launched on the grounds that confidential information was being leaked. A conditional statement by a hacker going by aliasSokoote Vahshat (Persianسکوت وحشت lit. 'Silence of Fear') said that if money was not paid, scripts of television episodes, including episodes ofGame of Thrones, would be leaked. The hack caused a leak of 1.5 terabytes of data, some of which was shows and episodes that had not been broadcast at the time.^[8] HBO has since stated that it would take steps to make sure that they would not be breached again.^[9]

Behzad Mesri was subsequently indicted for the hack. He has since been alleged to be part of the operation unit that had leaked confidential information.^[10]

According to Certfa, Charming Kitten had targeted US officials involved with the 2015Iran Nuclear Deal. The Iranian government denied any involvement.^[11][12]

Afederal grand jury in theUnited States District Court for the District of Columbia indicted Witt on espionage charges (specifically "conspiracy to deliver and delivering national defense information to representatives of the Iranian government"). The indictment was unsealed on February 19, 2019. In the same indictment, four Iranian nationals—Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar—were charged with conspiracy, attempting to commit computer intrusion, and aggravatedidentity theft, for a campaign in 2014 and 2015 that sought to compromise the data of Witt's former co-workers.^[13]

In March 2019,Microsoft took ownership of 99 DNS domains owned by the Iranian government-sponsored hackers, in a move intended to decrease the risk ofspear-phishing and other cyberattacks.^[14]

In 2020,Reuters reported that Charming Kitten targeted critics of the Iranian government, academics, and journalists, such asErfan Kasraie and Hassan Sarbakhshian, who received fake interview requests designed to harvest email credentials. The emails impersonated reporters from outlets likeThe Wall Street Journal,CNN, andDeutsche Welle, sometimes asking recipients to enter Google passwords or sign bogus contracts. Cybersecurity firms Certfa, ClearSky, andSecureworks attributed the operation to Charming Kitten based on tactics, infrastructure, and targeting.^[15]

According to Microsoft, in a 30-day period between August and September 2019, Charming Kitten made 2,700 attempts to gain information regarding targeted email accounts.^[16] This resulted in 241 attacks and 4 compromised accounts. Although the initiative was deemed to have been aimed at a United States presidential campaign, none of the compromised accounts were related to the election.

Microsoft did not reveal who specifically was targeted, but a subsequent report by Reuters claimed it was Donald Trump's re-election campaign.^[17] This assertion is corroborated by the fact that only the Trump campaign used Microsoft Outlook as an email client.

Iran denied any involvement in election meddling, with the Iranian Foreign MinisterMohammad Javad Zarif stating "We don’t have a preference in your election [the United States] to intervene in that election," and "We don’t interfere in the internal affairs of another country," in an interview on NBC's "Meet The Press".^[18]

Cybersecurity experts at Microsoft and third-party firms such as ClearSky Cyber Security maintain that Iran, specifically Charming Kitten, was behind the attempted interference, however. In October 2019, ClearSky released a report supporting Microsoft's initial conclusion.^[19] In the report, details about the cyberattack were compared to those of previous attacks known to originate from Charming Kitten. The following similarities were found:

• Similar victim profiles. Those targeted fell into similar categories. They were all people of interest to Iran in the fields of academia, journalism, human rights activism, and political opposition.
• Time overlap. Verified Charming Kitten activity was ramping up within the same timeframe that the election interference attempts were made.
• Consistent attack vectors. The methods of attack were similar, with the malicious agents relying on spear-phishing via SMS texts.

In 2020,IBM’s X-Force IRIS team uncovered over 40GB of data from Charming Kitten, including training videos showing operatives hacking email and social media accounts. The footage included access to accounts of US andHellenic Navy personnel, failed phishing attempts on US officials, and use of tools likeZimbra to manage stolen credentials. Researchers described the discovery as a rare insight into the group’s methods and suggested it showed limited ability to bypassmulti-factor authentication.^[20]

On August 23, 2022, a Google Threat Analysis Group (TAG) blog post revealed a new tool developed by Charming Kitten to steal data from well-known email providers (i.e. Google, Yahoo!, and Microsoft).^[21] This tool needs the target's credentials to create a session on its behalf. It acts in such a way that using old-style mail services looks normal to the server and downloads the victim's emails, and does some changes to hide its fingerprint.

Per the report, the tool is developed on the windows platform but not for the victim's machine. It uses both command line andGUI to enter credentials or other required resources like cookies.

In September 2023, Germany’s domestic intelligence agency issued a public warning about “concrete spying attempts” by the Iranian-linked hacker group Charming Kitten, according toThe Guardian. The report followed incidents documented across several European countries in which Iranian activists experienced hacking attempts, cyberattacks, online harassment, and threats of physical harm. Activists in Germany, France, the UK, and Spain were reportedly warned by local authorities about threats allegedly linked to Iranian cyber actors.^[22]

• Sony Pictures hack
• Monica Witt

• Iranian advanced persistent threat groups
• Iran–United States relations
• Cyberwarfare

• Articles with short description
• Short description is different from Wikidata
• Use mdy dates from December 2020
• Use American English from December 2020
• All Wikipedia articles written in American English
• Pages using infobox mapframe with missing coordinates
• All articles with unsourced statements
• Articles with unsourced statements from September 2019
• Articles containing Persian-language text