The head of the European Parliament’s delegation working on relations with Iran has revealed she was the victim of cyber-hacking orchestrated by Tehran.
Hannah Neumann, a member of Germany’s Green party, was the focus of a campaign starting in January, in which hackers, including one impersonating an expert on Hezbollah, sent emails, messaged and called her staff.
Ms Neumann was attacked by APT42, a hacking group associated with Iran's Islamic Revolutionary Guard Corps (IRGC), which eventually managed to infect an office laptop with malicious software. The group is believed to be part of another group, APT35, which is also known as Charming Kitten.
The hackers pretended to be Matthew Levitt, a former FBI and US government official who is an expert on Hezbollah and previously had several exchanges with Ms Neumann.
They emailed to asked her to speak at a conference organised by the Washington Institute for Near East Policy and the message contained a link to download an alleged “highly confidential and thus encrypted” note.
Ms Neumann told The National she has experienced "online harassment" and "threats against me and my team" but said: "The cyberattack by the state-sponsored hacker group Charming Kitten marks a new escalation.
"The tactic behind the attempted cyberattack was very sophisticated and hostile. They must have prepared for several months before starting it and then used various ways over several more months, including putting personal pressure on team members, to make someone eventually click on something."
The MEP regularly deals with Iranian trade unions, civil society organisations, human rights lawyers and activists fighting for democracy in the country. Having criticised the Iranian regime for years, she said: "I am aware that I am in the crosshairs of the regime".
"A successful attack on my devices would have given the regime insights into my whereabouts and contacts to political opponents of the regime which they could have used as blackmail. But first and foremost, this attempt – successful or not – is an attempt to intimidate and silence me."
Ms Neumann said that for many years here have been reports of Iran using cyberattacks to spy on dissidents, exiled Iranians and political opponents abroad.
"The goal of such attacks is to intimidate and silence critics. They can’t speak out because it would endanger their relatives in Iran. I can speak up – and I will."
Ms Neumann was made aware of the hack by Germany’s domestic intelligence service four weeks ago. The European Parliament’s IT services carried out an investigation but found that no sensitive information was stolen.
Another Iranian hacking group, called APT35 or Charming Kitten, closely related to APT42, was initially thought to be part of the scam.
The groups were behind the operation that stole internal communications from US President Donald Trump's election campaign last year. The documents released included a included a dossier on JD Vance, then a US senator and later Mr Trump’s vice presidential pick.
The Iranians also tried to hack the Democratic presidential campaign by going after the WhatsApp accounts of staff from the administration of former president Joe Biden.
Google’s Mandiant threat intelligence service describes APT42 as an Iranian state-sponsored cyber espionage actor, which uses enhanced social engineering schemes to gain access to its victims’ networks, including in the cloud.
Social engineering involves manipulation and deception to obtain information. APT42 hackers have posed as researchers, journalists and event organisers to build trust with their victims.
The hackers go after western and Middle Eastern NGOs, media organisations, academia, legal services and activists on behalf of the IRGC. In 2023, an APT42 hacker pretended to be a to be a senior fellow with the Royal United Services Institute think tank in an attempt to spread malware to a nuclear security expert.
European Parliament spokeswoman Delphine Colard said due to the “sensitive nature of the activity” it would not provide further comment on security or cybersecurity matters.
She said the parliament “constantly monitors cyber security threats as well as potential cyber attacks against its working environment and quickly deploys the necessary measures to prevent them or support the users”.
