CNET Deal Days are here Facebook reportedly plans to rename itself Pixel 6 event recap Apple event recap Maid to dethrone The Queen's Gambit Marvel's Eternals: Surprise cameo

Iran-linked hackers reportedly targeted activists and US officials

Researchers say a phishing campaign happened just as Trump prepared to reinstate nuclear sanctions.

A screenshot of a phishing website that mimics the look of a Google login page.

Targets of an Iran-linked phishing campaign saw pages like this one that asked for one-time login codes, according to researchers at Certfa.

Certfa Labs

Hackers with ties to the Iranian government targeted officials from other countries involved in implementing sanctions, as well as activists and journalists, with a phishing campaign, according to a report from London-based cybersecurity group Certfa.

The targets included atomic scientists and US Treasury officials, as well as supporters and detractors of the Iran nuclear deal rolled back this year by President Donald Trump, according to the AP, which earlier reported on the research. The campaign, which Certfa said was run by a hacking group nicknamed Charming Kitten, started four weeks before the Trump administration reinstated sanctions against Iran in November, the researchers found.

"In other words, hackers who are supported by the Iranian government pick their targets according to policies and international interests for the Iranian government," Certfa researchers wrote in their report.

The Iranian government didn't respond to a request for comment. The Treasury Department, which carries out foreign sanctions for the US government declined to comment on this specific report. A  spokesman said that the US Department of Homeland Security issued a security alert in November regarding Iranian sanctions that applied to the Treasury Department as well as the rest of the federal government and private industry.

The reported campaign underscores the degree to which government-sponsored hackers still rely on tricking email users into handing over their email usernames and passwords. The alleged phishing campaign aimed to bait targets into handing over their credentials and then went further, asking victims to provide one-time codes, such as texted and app-generated codes, used as a second form of authentication. 

Physical tokens, such as Yubikey, help prevent such types of hacking because the devices have to be present when logging into important email accounts.

To add a look of legitimacy to their campaign, the hackers in some cases directed victims to open websites hosted on Google Sites pages before entering their usernames and passwords, Certfa said. The researchers said they notified Google of the pattern, and Google deactivated the hackers' pages hosted on the company's service. Google declined to comment for this story.

The AP reached out to targets identified in Certfa's research and learned many of them had recently received phishing messages.

It isn't clear how many victims fell for the phishing scheme, and it appears the hackers were discovered because they made a basic error. According to the AP, they left a database of information unsecured on the internet, allowing researchers to find it and extract details of their phishing campaign.

First published Dec. 13, 4:20 p.m. PT.
Update, Dec. 14, 11:12 a.m.: Adds response from US Treasury Department and Google.