Iranian Hackers Tried to Impersonate Israeli Cyber-security Company

Last month, the Israeli cybersecurity firm ClearSky discovered an Iranian hacker group called Charming Kitten running an operation it called Ayatollah BBC

Oded Yaron
Oded Yaron
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
National flags of Israel hang on the wall as employees work behind computer screens at the Jerusalem Venture Partners JVP Media Labs, situated in the JVP Media Quarter in Jerusalem, Israel, on Wednesday, Oct. 21 , 2015.
National flags of Israel hang on the wall as employees work behind computer screens at the Jerusalem Venture Partners JVP Media Labs, situated in the JVP Media Quarter in Jerusalem, IsraelCredit: Rina Castelnuovo/Bloomberg
Oded Yaron
Oded Yaron

The Israeli cybersecurity firm ClearSky has exposed several cases in which Iranian hackers impersonated legitimate websites. In February, for instance, it revealed an operation it called Ayatollah BBC – a series of Iranian-run websites impersonating foreign or even Iranian media outlets.

But earlier this month, it reported that it, too, has joined the list of victims of these Iranian “copy and paste” operations.

>> Why Netanyahu Failed to Mention the Iranian Link to the Cyberattack on Israel | Analysis ■ Israeli Officer: Iran Involved in Cyber Attacks During Gaza War

Last month, the company discovered that a hacker group called Charming Kitten, which had perpetrated previous attacks, was still operating. The group is connected to the Iranian government and is deemed an “advanced persistent threat,” meaning it comprises sophisticated hackers.

It has occasionally hit the headlines, once when one of its members was involved in breaking into the HBO television network and stealing videos and other files, including scripts for the hit series “Game of Thrones.”

The group often uses “watering hole” attacks, which utilize either legitimate sites or seemingly innocent but malicious sites to infect users with malware that the hackers can then use to spy on them. For instance, ClearSky researchers discovered the group had created a website which impersonated the German paper Deutsche Welle’s site.

The hackers also managed to insert a malicious page into the website of a Los Angeles Jewish community paper, the Jewish Journal. The page invited users to a webinar and included a link that activated a program called BeEF, which stands for Browser Exploitation Framework. BeEF was originally created for security researchers who look for security breaches, particularly in browsers, in order to improve their defenses. But it has proven a double-edged sword that attackers can use for less benign ends.

ClearSky’s most entertaining discovery so far, however, relates directly to the company. As the website Bleeping Computer reported last week, the Charming Kitten group impersonated ClearSky itself by creating a website almost identical to that of the Israeli firm, with a slightly different address; the imposter site ended in “.net” rather than “.com.”

ClearSky researchers found some broken links in the fake site, leading them to think it is still under development.

The obvious question is what the Iranian hackers hoped to achieve with this impersonation. The answer lies in one very significant difference between the two sites: Unlike the original site, the Iranian version allows users to register. This would enable the hackers to steal information from ClearSky’s customers, who would think they were merely registering to receive site updates. The moment a user clicked on the registration link, the hackers would be able to steal his or her personal information, including passwords for service providers.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

$1 for the first month

Already signed up? LOG IN

Protesters demonstrating in front of the consulate general of Israel in New York last year.

Huge Gap Between Young, Old Americans' View on Israel-Palestine

Rep. Henry Cuellar attends a campaign event on Wednesday, in San Antonio, Texas.

AIPAC-backed Dem Declares Victory Against Progressive Challenger in Texas Runoff

Iranian President Ebrahim Raisi and Atomic Energy Organization of Iran chief Mohammad Eslami at an event for Nuclear Technology Day in Tehran, last month.

Prospects for Reviving Iran Nuclear Deal 'Tenuous' at Best, U.S. Envoy Says

A family grieves outside the SSGT Willie de Leon Civic Center following the mass shooting at Robb Elementary School in Uvalde, Texas on Wednesday.

Israeli PM Offers Condolences After Texas Gunman Kills 21 at Elementary School

U.S. President Joe Biden, this week.

Biden Decides to Keep Iran's Revolutionary Guards on Terror List, Says Report

ADL CEO Jonathan Greenblatt.

Progressive Jews Urge ADL Chief to Apologize for Calling Out Democratic Activist