"Iranian Cyberspy Group Launching Ransomware Attacks Against US"

Researchers at Secureworks Counter Threat Unit (CTU) have found that over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities.  Charming Kitten is also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453.  The advanced persistent threat (APT) actor is known for targeting activists, government organizations, journalists, and various other entities.  Secureworks, which tracks the cyberespionage group as Cobalt Mirage, reported that the group appears to have turned to financially-motivated attacks, including the deployment of ransomware.  The researchers note that, in January 2022, the cyberespionage group previously obtained access to infiltrate the network of a philanthropic organization in the US, where they deployed a web shell that was later used to drop additional files.  The researchers stated that after enumerating the environment, the threat actor moved laterally and then "encrypted three user workstations with BitLocker, rendering them inaccessible to the compromised organization's staff." In March 2022, the group was observed compromising the network of a local US government, but no ransomware was deployed.  Instead, the group focused on harvesting data and exfiltrating it using free online services.  The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, "their ability to capitalize on that access for financial gain or intelligence collection appears limited."  However, the researchers concluded that the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat.

SecurityWeek reports: "Iranian Cyberspy Group Launching Ransomware Attacks Against US"