Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week


Protect Your Access to the Internet

Iranian Flag

Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets


Image: Getty via Future

New research has shown the flexibility of threat actors to rapidly iterate attack patterns in order to bypass security controls.

An investigation from security firm Proofpoint into a recent attack targeting a nuclear security expert at a US-based think tank revealed how well-resourced attackers change tactics on the fly to compromise different machines.

After realising their initial payload wouldn’t work on a Mac, they quickly pivoted to new techniques known to work on targets who used Apple hardware.



The sophisticated operation saw skilled threat actors devise a seemingly benign e-mail chain with the high-profile target and continue the conversation over the course of weeks to build trust and rapport, exploiting that to launch further attacks.

How the attack unfolded

The mid-May 2023 attack came from TA453, an Iranian state-affiliated threat actor, also tracked under the monikers: Charming Kitten; APT42; Mint Sandstorm; and Yellow Garuda, and saw them posing as members of the Royal United Services Institute (RUSI).

Using a multi-persona approach, the attackers – known for conducting espionage operations – started an e-mail chain with the target seemingly seeking feedback on a project titled ‘Iran in the Global Security Context’.

The attackers sent multiple messages from different accounts, all referencing each other to generate a feeling of authenticity – a technique seen before in e-mail hijacking campaigns.

After a single seemingly benign interaction, a…