Iran-linked hackers pose as journalists in email scam

The phony request was in reality an attempt to break into Kasraie’s email account. (Reuters)
Short Url
Updated 06 February 2020

Iran-linked hackers pose as journalists in email scam

  • Incidents come to light at a time when US has warned of Iranian cyberthreats

WASHINGTON: When Iranian-born German academic Erfan Kasraie received an email from The Wall Street Journal requesting an interview, he sensed something was amiss.

The Nov. 12 note purportedly came from Farnaz Fassihi, a veteran Iranian-American journalist who covers the Middle East. Yet it read more like a fan letter, asking Kasraie to share his “important achievements” to “motivate the youth of our beloved country.”

“This interview is a great honor for me,” the note gushed.

Another red flag: The follow-up email that instructed Kasraie to enter his Google password to see the interview questions.

The phony request was in reality an attempt to break into Kasraie’s email account. The incident is part of a wider effort to impersonate journalists in hacking attempts that three cybersecurity firms said they have tied to the Iranian government, which rejected the claim. The incidents come to light at a time when the US government has warned of Iranian cyberthreats in the wake of the US airstrike that killed Iran’s second most powerful official, Maj. Gen. Qassem Soleimani.

In a report published on Wednesday, London-based cybersecurity company Certfa tied the impersonation of Fassihi to a hacking group nicknamed Charming Kitten, which has long been associated with Iran. Israeli firm ClearSky Cyber Security provided Reuters with documentation of similar impersonations of two media figures at CNN and Deutsche Welle, a German public broadcaster. ClearSky also linked the hacking attempts to Charming Kitten, describing the individuals targeted as Israeli academics or researchers who study Iran. ClearSky declined to give the specific number of people targeted or to name them, citing client confidentiality.

Iran denies operating or supporting any hacking operation. Alireza Miryousefi, the spokesman for the Islamic republic’s mission to the UN, said that firms claiming otherwise “are merely participants in the disinformation campaign against Iran.”

Reuters uncovered similar hacking attempts on two other targets, which the two cybersecurity firms, along with a third firm, Atlanta-based Secureworks, said also appeared to be the work of Charming Kitten. Azadeh Shafiee, an anchor for London-based satellite broadcaster Iran International, was impersonated by hackers in attempts to break into the accounts of a relative of hers in London and Prague-based Iranian filmmaker Hassan Sarbakhshian.

Sarbakhshian — who fled the Islamic republic amid a crackdown that saw the arrest of several fellow photojournalists in 2009 — was also targeted with an email that claimed to be from Fassihi. The message asked him to sign a contract to sell some of his pictures to The Wall Street Journal. Sarbakhshian said in an interview that he was suspicious of the message and didn’t respond.

Neither did the ruse fool Kasraie, an academic who frequently appears on television criticizing Iran’s government.

“I understood 100 percent that it was a trap,” he said in an interview.

That is not surprising given the hackers’ sloppy tactics. For instance, they missed the fact that Fassihi had left the Journal last year for a new job at The New York Times.

The Journal declined to comment. Fassihi referred questions to The Times, which in a statement called the impersonation “a vivid example of the challenges journalists are facing around the globe.”

US officials and cybersecurity experts see Iran as a digital threat. Earlier this month, the US Department of Homeland Security and the Federal Bureau of Investigation (FBI) issued alerts about the threat of Iranian cyberattacks following the controversial US attack that killed Soleimani. Microsoft, which tracks attempts to undermine election security, in October accused Charming Kitten of targeting a US presidential campaign; sources told Reuters at the time that the campaign was Donald Trump’s.

Homeland Security and FBI spokespeople declined to comment on the recent impersonations identified by Reuters. Certfa, ClearSky, and Secureworks said they could be tied to Charming Kitten through a study of the tactics, targets, and digital infrastructure involved — including servers, link shortening services, and domain registration patterns.

“This activity does align with prior Iranian cyber operations,” said Allison Wikoff, a Secureworks researcher who has tracked Charming Kitten for years.

In early 2019, the US indicted Behzad Mesri — who ClearSky has linked to Charming Kitten through emails and social media activity — on charges of recruiting a former US Air Force intelligence officer to spy on behalf of Iran. Mesri remains at large and could not be reached for comment.

Other impersonated journalists included CNN national security analyst Samantha Vinograd, whose identity was stolen in August and used in attempts to break into email accounts in Israel, ClearSky said. Another was Michael Hartlep, a Berlin-based video journalist who has done freelance assignments for Deutsche Welle and Reuters. ClearSky found his name on an email inviting recipients to a bogus Deutsche Welle webinar on Iran’s role in the Middle East. The firm did not find evidence that the Reuters name was used in hacking attempts.

In another case, the hackers appear to have invented a journalist — “Keyarash Navidpour” — to send out a phony invitation on Jan. 4 to an online seminar that it claimed Deutsche Welle would hold about the killing of Soleimani the day before. No such journalist works for Deutsche Welle, said the news organization’s spokesman Christoph Jumpelt.

Vinograd referred questions to CNN, which did not return messages seeking comment. Hartlep told Reuters he worried such stunts might give sources second thoughts about answering a reporter’s queries.

“If this becomes the usual way of tricking people,” he said, “definitely it makes our work very hard.”


Coronavirus: 16 killed in Iran, 95 infected

Workers disinfect Qom’s Masumeh shrine, which is visited by a large number of people, to prevent the spread of the coronavirus. (AFP)
Updated 26 February 2020

Coronavirus: 16 killed in Iran, 95 infected

  • Six Saudi women recovering in Bahrain as Kingdom warns against travel to Italy and Japan

DUBAI: Two more people infected with the new coronavirus have died, taking the toll in Iran to 16, a Health Ministry official told state TV on Tuesday.

Iran has the highest number of deaths from coronavirus outside China, where the virus emerged late last year.
“Among those who had been suspected of the virus, 35 have been confirmed and two died of the coronavirus infection,” said Health Ministry spokesman Kianoush Jahanpour. He said 95 people had been infected across Iran.
The Health Ministry urged Iranians to stay at home.
Iran said on Monday 900 cases were suspected, dismissing claims by a lawmaker from Qom who said 50 people had died in the city, the epicenter of the new coronavirus outbreak.
Iran, which confirmed its first two deaths last week in Qom, has yet to say how many people it has quarantined, but the semi-official Mehr news agency said 320 people had been hospitalized.
Iraj Harirchi, Iran’s deputy health minister, has tested positive for the coronavirus and is now under quarantine.
Six Arab countries have reported their first cases of coronavirus, with those infected all having links to Iran. Kuwait said the number of infected people there had risen to eight.
Bahrain’s Health Ministry said 15 more people, including six Saudi women, had tested positive for the virus after returning from Iran via Dubai and Sharjah. The new cases were carried by Bahraini and Saudi nationals who arrived at Bahrain International Airport from Iran via Dubai or Sharjah.
The Saudi Ministry of Health said that it was coordinating with Bahraini health officials for the treatment of the Saudi women who had visited Iran. They will remain in Bahrain until they are fully recovered. The Kingdom has advised citizens and residents to avoid traveling to Italy and Japan.
Iranian authorities have ordered the nationwide cancellation of concerts and soccer matches and the closure of schools and universities in many provinces.
The head of Qom’s Medical Science University, Mohammad Reza Ghadir, expressed concern over “the spread of those people infected by the virus across the city,” adding the Health Ministry had banned releasing figures linked to the coronavirus.
Many Iranians took to social media to accuse authorities of concealing the facts.
Rouhani called for calm, saying the outbreak was no worse than other epidemics that Iran has weathered.
The sight of Iranians wearing masks and gloves is now common in much of the country.
Sales of masks, disinfectant gels and disposable gloves have soared in Tehran and other cities, with officials vowing to prevent hoarding and shortages by boosting production.
Iran has shut schools, universities and cultural centers until the end of the week in an effort to stop the spread of coronavirus.
The UAE has banned all flights to and from Iran. The UAE, home to long-haul carriers Emirates and Etihad, remains a key international transit route for Iran’s 80 million people.
Emirates, the government-owned carrier based in Dubai, flies daily to Tehran. Its low-cost sister airline, FlyDubai, flies to multiple Iranian cities, as does the Sharjah-based low-cost carrier Air Arabia.
The announcement came after Bahrain said it would suspend all flights from Dubai and Sharjah.
Kuwait raised the number of its infected cases to eight, after earlier raising the number to five. It said the three latest cases involved Kuwaiti citizens just back from Iran, without giving more details. The five previously reported cases were passengers returning on a flight from the Iranian city of Mashhad, where Iran’s government has not yet announced a single case of the virus.
Kuwait had halted transport links with Iran over the weekend and said it was evacuating its citizens from Iran.
An Iraqi family of four who returned from a visit to Iran tested positive for the coronavirus, the first Iraqis known to have caught the disease.
The four cases in Kirkuk province brought Iraq’s total to five after it reported its first case on Monday, an Iranian theology student in Najaf. Iraq is deeply concerned about its exposure to the Iranian outbreak, as it has deep cultural and religious ties with its neighbor and typically receives millions of Iranians each year.
The Iraqi government, which has already banned all travel from China and Iran, added Italy, Thailand, South Korea, Singapore and Japan to its travel ban list on Tuesday. Returning Iraqi citizens are exempt, as are diplomats.
Populist Shiite cleric Moqtada Al-Sadr suspended a call for his followers to hold a “million-man” protest, saying he had decide to forbid the events “for your health and life, for they are more important to me than anything else.”
“I had called for million-man protests and sit-ins against sectarian power-sharing and today I forbid you from them for your health and life, for they are more important to me than anything else,” he said in a statement. It was not immediately clear how the government’s call on citizens to avoid public gatherings would affect the strength of anti-government protests, and the response of security forces.
A Turkish Airlines plane flying from Iran was diverted to Ankara on Tuesday at the Turkish Health Ministry’s request and an aviation news website said one passenger was suspected of being infected by coronavirus.
Turkey’s Demiroren news agency broadcast video showing ambulances lined up beside the plane, with several personnel wearing white protective suits on the tarmac.
The plane was flying from Tehran and had been scheduled to land in Istanbul. Turkey shut its borders to Iran on Sunday and cut flights due to the spread of the virus in that country.
Oman’s Khasab port has suspended the import and export of goods to and from Iran from Feb. 26.