The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker

The presentation discusses the operational security errors of an Iranian state-sponsored threat group, ITG18, also known as Charming Kitten, and how these mistakes reveal intimate details of their entire operation.

• ITG18 targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development
• The group recorded victims' private chats, emails, and photos
• The presentation reveals how an ITG18 operator set up their machine and various personas to run adversarial operations and manage stolen data
• The presentation goes over TTPs of an ITG18 campaign and exposes suspected initial access vectors
• ITG18's new Android malware, LittleLooter, is discussed for the first time
• Two ITG18 training videos are shown, covering how ITG18 configures compromised personal email accounts of their victims to maintain access to their accounts without being detected, how ITG18 exfils information from their victims, and how they expand on the compromises with the stolen data
• The presentation ends with thoughts about ITG18's future operations and how organizations and individuals can better defend themselves against this group

The presentation highlights how ITG18's poor security controls led to one of their servers getting ransomware, emphasizing that even nation-state operators are prone to making errors and mistakes

When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation.Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as "Charming Kitten". This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims' most private chats, emails, and even photos. In our talk, we will reveal how an ITG18 operator set up their machine and various personas, hence 9 lives, to run adversarial operations and manage stolen data. We will go over TTPs of an ITG18 campaign and expose suspected initial access vectors for the audience to better understand how ITG18 compromises targets. Additionally, we will highlight ITG18's new Android malware that they use to infect victims they follow on a daily basis. We named this code "LittleLooter" which we will discuss at the conference for the first time.To get a better sense of ITG18 operational cadence, we will show two of the ITG18 training videos discovered during our research. These specifically cover how ITG18 configures the compromised personal email accounts of their victims to maintain access to their accounts without being detected, how ITG18 exfils information from their victims and how they expand on the compromises with the stolen data. We will close this talk with some thoughts about ITG18's future operations, including how they respond to public disclosure and how organizations and individuals can better defend themselves against this group.