Iranian hackers take aim at foreign nuclear experts and US officials

Government-backed Iranian hackers scrambled to break into the personal emails of US Treasury officials after harsh economic sanctions were reimposed on Tehran last month, a cybersecurity group said.

The hacking group, nicknamed Charming Kitten, also took aim at foreign nuclear experts in data tracked by Certfa analysts in the UK.

In another sign of how deeply cyber espionage is woven into the fabric of US-Iranian relations, nuclear deal defenders and detractors, Arab atomic scientists, Iranian civil society figures and Washington think-tank employees were on the hackers' hit list.

US President Donald Trump placed sanctions on Iran's energy, shipping, shipbuilding and financial sectors on November 4.

"Presumably, some of this is about figuring out what is going on with sanctions," Frederick Kagan, a scholar at the American Enterprise Institute, said.

Mr Kagan, who has written about Iranian cyber espionage and was among those targeted, said he was alarmed.

_______________

Iran sanctions

Explainer: What reinstatement of US sanctions on Iran mean

Russia and Iran angered by new US sanctions targeting Iranian oil exports to Syria

US turns the screws on Iran as full sanctions take effect

_______________

The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet last month. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers.

It is hard to know how many of the accounts were successfully compromised or how exactly they were targeted in each case. But even though the addresses likely represent just a fraction of the hackers' overall efforts, they still provide insight into Tehran's espionage priorities.

"The targets are very specific," Certfa researcher Nariman Gharib said.

In a report published on Thursday, Certfa tied the hackers to the Iranian government, a judgment drawn in part on operational blunders, including a couple of cases where the hackers appeared to have accidentally revealed that they were operating from computers inside Iran. The assessment was backed by others who tracked Charming Kitten.

Certfa researchers Nariman Gharib, right, and Amin Sabeti. AP Photo

Allison Wikoff, an online security researcher, recognised some of the digital infrastructure in Certfa's report and said the hackers' past operations left little doubt they were state-backed.

"It's fairly clear-cut," she said.

Mr Kagan said most signs pointed to a serious, government-backed operation.

"It doesn't look like freelancers," he said.

Iran previously denied responsibility for hacking operations, but an Associated Press analysis of its targets suggests that Charming Kitten is working in close alignment with Tehran's interests.

The most striking among them were the nuclear officials – a scientist working on a civilian nuclear project for Pakistan's defence ministry, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha and a high-ranking researcher at the Atomic Energy Commission of Syria.

Others on the hit list – such as Guy Roberts, the US Assistant Secretary of Defence for Nuclear, Chemical, and Biological Defence Programmes – pointed to the hackers' eagerness to keep track of officials charged with overseeing America's nuclear arsenal.

"This is something I've been worried about," Mr Roberts said when alerted to his presence on the list.

More targets are connected to the Iran deal – a 2015 pact negotiated by former US President Barack Obama's administration and other world powers that called for Tehran to curb its uranium-enrichment programme in exchange for the lifting of international sanctions.

Mr Trump tore up the deal in May despite the objections of most of America's allies and has since reimposed a series of punishing restrictions on Iran.

One of Charming Kitten's targets was Andrew J Grotto, whose tenure on the US National Security Council straddled the Obama and Trump administrations and who has written about Iran's nuclear ambitions.

Jarrett Blanc, a US State Department official involved in the implementation of the nuclear deal under Mr Obama, was also on the list. He said news of his targeting was no shock.

"I've retained contact with Iranian counterparts since leaving government," he said. "I'd be very surprised if there were not Iranian groups trying to hack into my various email accounts."

Like the Russian hackers who have chased after America's drone, space and submarine secrets, the list indicates that Iranian spies were also interested in the world of US defence companies.

Cerfta said Iranian hackers set up fake alerts to get the victim to re-verify passwords and log-in details. AP Photo

One of those targeted is a senior director of "breakthrough technology" at the aerospace arm of Honeywell International, the New Jersey-based industrial conglomerate. Another is a vice president at Virginia-based Science Applications International, a prominent Pentagon contractor.

Honeywell said it was aware that one of its employees had their personal account "exposed," adding there was no evidence the company's network itself was compromised. Science Applications International said it found no trace of any hacking attempt.

There were Iranian targets too, including media workers, an agronomist and a senior employee of the country's Department of Environment – a possible sign that Tehran's crackdown on environmentalists, which began earlier this year, continues.

Hacking has long been a feature of the tense relationship between the US and Iran.

It was against Iran that American and Israeli spies are said to have used the pioneering, centrifuge-rattling computer worm called Stuxnet in a bid to sabotage the country's uranium enrichment capabilities. Iranian hackers in turn are blamed for denial of service assaults on American banks and computer-wrecking cyberattacks in Saudi Arabia.

The Charming Kitten campaign uncovered by Certfa is far less sophisticated, generally relying on phishing – trying to obtain users' passwords and ID details.

An analysis of Certfa's data shows the group targeted at least 13 US Treasury employees' personal emails, including one belonging to a director at the Financial Crimes Enforcement Network, which fights money laundering and terror financing, and one used by the Iran licensing chief at the Office of Foreign Asset Control, which is in charge of enforcing US sanctions. But a few employees' LinkedIn profiles referenced back office jobs or routine tax work.

The US Treasury, which did not comment directly on the hacking, said it went to "great lengths" to protect its employees.

This mixed bag of government targets suggests "a fairly scattershot attempt," said Clay Stevenson, a former Treasury official who was himself targeted by Charming Kitten.

Others' experience suggests a more professional effort.

Georgetown University professor and South Asia security expert Christine Fair said she had just recently returned from a conference in Afghanistan attended by Iranian officials and a visit to the Iranian border when she learnt she was in the hackers' sights.

"The timing is uncanny," she said.

Another Charming Kitten target was an intern working for the Foundation for Defence of Democracies, a Washington think tank that has been one of the Iran deal's fiercest critics. How the intern – whose email isn't public and whose name appears nowhere on the organisation's website – crossed the hackers' radar is not clear.

UAE currency: the story behind the money in your pockets

Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.

Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.

“Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.

Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.

“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.

Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.

From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.

Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.

BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.

Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.

Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.

“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.

Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.

“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.

“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”

The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”