ClearSky Cyber Security researchers believe that alleged HBO hacker Behzad Mesri may have affiliations with the Iranian APT group Charming Kitten.
ClearSky Cyber Security researchers believe that alleged HBO hacker Behzad Mesri may have affiliations with the Iranian APT group Charming Kitten.

Researchers with ClearSky Cyber Security believe with medium-level confidence that they have linked three individuals to the Iranian advanced persistent threat group Charming Kitten, including the man accused of hacking and extorting HBO.

In a newly released report, the Israel-based cybersecurity firm details intelligence it has gathered on the allegedly state-sponsored APT group, which targets academic scholars, human rights activists, media members, and dissidents who are of interest to Iran – often with the intent of gaining unauthorized access to their personal email and Facebook accounts.

According to ClearSky, one key individual with ties to Charming Kitten is Iranian national Behzad Mesri, aka Skote Vahshat, who was indicted in the U.S. last month for allegedly hacking into HBO's systems, stealing episodes of network shows, demanding millions in ransom, and leaking the content on the internet.

"This is not to say that the HBO hack was ordered by the Iranian government," cautions the report, which credits security researcher Collin Anderson of the website "Iran Threats" for originally suggesting that Mesri might have affiliations with Charming Kitten.

Mesri, who has previously worked for the Iranian government, was once a member of the Turk Black Hat hacker group – as was a 29-year-old Iranian known as ArYaIeIrAN. One website defaced by Turk Black Hat even credits both Mesri and ArYaIeIrAN for the attack, suggesting the two knew each other, ClearSky explains.

ClearSky found that ArYaIeIrAN's email address appears in the SOA (Start of Authority) record of multiple domains used by Charming Kittens, all of which used persiandns[.]net as their NS (name server). ArYaIeIrAN “registered persiandns[.]net, potentially indicating that he is the administrator of the services and an employee in the company,” ClearSky reports.

Furthermore, the researchers found that persiandns redirects to mahanserver[.]ir, which is run by CEO Mohammad Rasoul Akbari, aka ra3ou1, who is a Facebook friend of Mesri.

Consequently, ClearSky has assessed that Mesri, ArYalelrAN, and Mohammad Rasoul Akbari are directly involved with Charming Kitten's operations and, along with others, may constitute the threat group.

The report also details a previously undisclosed backdoor/downloader trojan called DownPaper that Charming Kitten uses to conduct cyber espionage operations against a variety of international targets. The main purpose of the backdoor, often delivered as sami.exe, is to download and execute a second-stage payload.

Additionally, ClearSky described a campaign in which Charming Kitten actors created a fake British news agency along with corresponding phony websites in order to infect specifically whitelisted visitors with a web browser-based penetration testing tool.