Germany's Federal Office for the Protection of the Constitution (BfV) on Thursday warned critics of the Iranian leadership living in Germany that they might be targeted by hackers.

The agency said the Charming Kitten online espionage group works by building trust with victims to the extent that they expose data on themselves, and any online contacts in Iran.

How do the hackers operate?

The BfV explained the group has been using a multi-step process to identify and spy on critics of the Iranian regime.

It employs so-called spear phishing tactics, acquiring sensitive information by sending counterfeit messages that appear to be legitimate.

The aim was to gain access to online services such as email accounts, cloud storage or messenger services used by the potential victim.

In a first step, the attacker explores the preferences and interests of their prey, including interests of a political nature.

They then establish personal contact and seek to lull their target into a false sense of security by giving the impression of being harmless.

Next, the victim is invited to an online video chat, in which they must enter login details to a link sent by the hacker. The attacker can subsequently access this information to potentially gain access to online accounts.

Who is being targeted?

The cyberattacks were mainly directed at dissident organizations and professionals — such as legal practitioners, journalists, or human rights activists — in Iran and abroad.

Charming Kitten pretends that victims are communicating with real people, some of whom are publicly known, such as journalists or NGO employees.

The BfV warns potential targets that the contents of some accounts could potentially cause problems for contacts in Iran itself.

The agency recommends treating communications with non-established contacts or, unusual requests from established contacts, with healthy skepticism. It suggests checking individuals' identities by making phone calls and checking email addresses, and not opening suspicious links.

In mid-August 2020, people using fake Deutsche Welle identities contacted the staff of a foreign embassy and a leading expert by email. At the time, internet security service Clearsky said Charming Kitten was behind this.

rc/sms (dpa, Reuters)

While you're here: Every Tuesday, DW editors round up what is happening in German politics and society. You can sign up here for the weekly email newsletter Berlin Briefing.