'My identity was stolen by Iranian hackers', FRANCE 24 journalist says
Iran may look increasingly isolated on the international stage, but cybersecurity companies say its extensive network of hackers is working hard to pursue the government’s strategic interests. One person who’s being used as a pawn in a massive cyber campaign is FRANCE 24's technology editor Peter O’Brien.
PSA: If you get an email from anyone at FRANCE 24 whose address does not end in "@france24.com" – it is not one of our journalists.
For months, someone has posed as me to try and conduct fraudulent interviews about Iran.
Researchers at cybersecurity firm Volexity got in touch to tell me the attacker was part of a group they call CharmingCypress, also known as Charming Kitten or APT42, linked to Iranian authorities.
As per cybersecurity naming conventions, both "kitten" and "cypress" refer to Iran, just as "bear" refers to Russia or "panda" refers to China.
Since August, I have been contacted by several people with a level of public visibility for their work in international policy, particularly to do with Iran.
This was either to check if a message had come from me – it hadn’t – or, in one case, to tell me that the victim had succumbed to a two-hour fake interview with a fake Peter O'Brien that pretended his camera wasn’t working.
The attacks began with an email using my name, my photo, something resembling my job title, my public usernames and a request for an interview. The phone number and email address were, however, fake.
Volexity says the aim of such attacks is ultimately to deliver a payload of malware, allowing the attackers to access as much of the victim’s personal information and accounts as possible, in order to further manipulate them.
They do this by slowly building trust over email and voice exchanges, eventually sending a link or file which triggers the delivery of this payload.
In other similar attacks unmasked by the company, they cited malicious links to documents called “The global consequences of the Israel-Hamas war” and “US strategy in the Middle East is coming into focus”.
In one case, Veloxity said CharmingCypress went so far as to craft an entirely fake webinar with 16 fake Middle East experts to lure a victim in.
Cybersecurity news site Dark Reading reports that the group has been active since at least 2013 and has strong links to the Islamic Revolutionary Guard Corps.
In a 2022 report, another cybersecurity firm Mandiant said the group that they call “APT42” has been active since at least 2015. The firm said it assessed “with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government”.
“After gaining access," the report reads, "the group has deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes”.
Both Mandiant and Volexity point out that CharmingCypress / APT42 is persistent. It has been impervious to takedowns of their infrastructure and to public reports.
Meanwhile, their priorities and targets shift as Iran’s strategic priorities shift over time – so expect them to shift again given the changing fortunes in the Middle East.
