Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
iOS VPN App
Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
Image: Getty via Future
New research has shown the flexibility of threat actors to rapidly iterate attack patterns in order to bypass security controls.
An investigation from security firm Proofpoint into a recent attack targeting a nuclear security expert at a US-based think tank revealed how well-resourced attackers change tactics on the fly to compromise different machines.
After realising their initial payload wouldn’t work on a Mac, they quickly pivoted to new techniques known to work on targets who used Apple hardware.
The sophisticated operation saw skilled threat actors devise a seemingly benign e-mail chain with the high-profile target and continue the conversation over the course of weeks to build trust and rapport, exploiting that to launch further attacks.
How the attack unfolded
The mid-May 2023 attack came from TA453, an Iranian state-affiliated threat actor, also tracked under the monikers: Charming Kitten; APT42; Mint Sandstorm; and Yellow Garuda, and saw them posing as members of the Royal United Services Institute (RUSI).
Using a multi-persona approach, the attackers – known for conducting espionage operations – started an e-mail chain with the target seemingly seeking feedback on a project titled ‘Iran in the Global Security Context’.
The attackers sent multiple messages from different accounts, all referencing each other to generate a feeling of authenticity – a technique seen before in e-mail hijacking campaigns.
After a single seemingly benign interaction, a…
