GreenCharlie Infrastructure Linked to US Political Campaign Targeting

Introduction

On August 20, 2024, Insikt Group released a comprehensive threat analysis report revealing a significant link between the Iran-backed GreenCharlie group and recent cyber espionage activities targeting US political campaigns. The report details the group's extensive use of malicious network infrastructure. It highlights its connection to the Islamic Revolutionary Guard Corps' Intelligence Organization (IRGC-IO).

Report Overview

GreenCharlie, an advanced persistent threat (APT) group, has been tracked by Recorded Future since 2020. The group's activities have consistently overlapped with known Iranian cyber-espionage entities such as Mint Sandstorm, Charming Kitten, and TA453. The latest findings reveal that GreenCharlie is likely operating under the direct influence of the IRGC-IO, focusing on high-value targets, including government officials, diplomats, and research analysts.

GreenCharlie employs a sophisticated approach to its cyber operations. The group has registered numerous dynamic DNS (DDNS) domains using providers like Dynu, DNSEXIT, and Vitalwerks. These domains have been leveraged for spearphishing campaigns and social engineering attacks, often involving malware such as POWERSTAR, NokNok, and GORBLE. The infrastructure analysis uncovered by Recorded Future's Network Intelligence indicates that GreenCharlie uses multiple top-level domains (TLDs) and hosting providers, with a significant portion of its infrastructure hosted on Scalaxy B.V.

The implications of GreenCharlie's operations are far-reaching. While direct evidence of targeting US government officials is not yet confirmed, the infrastructure linked to GreenCharlie has been associated with campaigns targeting US political figures. The use of ProtonVPN and ProtonMail by the group suggests a high level of operational security, complicating efforts to track and mitigate these threats. The potential consequences include compromised sensitive information and strategic intelligence, which could influence political processes and decision-making.

Insights and Analysis

Insikt Group's findings are based on meticulous tracking of GreenCharlie's infrastructure, a process that instills confidence in the thoroughness of our analysis. This tracking has revealed the group's reliance on encrypted communication channels and obfuscation techniques. The detailed analysis of the GORBLE, POWERSTAR, and TAMECAT malware families underscores the sophistication of these cyber threats.

Organizations, especially those involved in political campaigns or sensitive government operations, are advised to bolster their cybersecurity defences. This includes implementing advanced threat detection systems, a measure that will make you feel secure and prepared, educating staff on spearphishing tactics, and ensuring secure communication channels.

GreenCharlie's ongoing activities represent a significant threat to US political campaigns and high-value targets worldwide. The group's sophisticated use of dynamic DNS domains, encrypted communication, and advanced malware requires vigilant monitoring and robust defensive strategies to mitigate the risks posed by this Iran-backed APT group.

MITRE ATT&CK Table

References

GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware

Explore GreenCharlie’s expanding cyber threat against US political and government entities. Learn how this Iran-nexus group uses advanced phishing techniques and malware like GORBLE and POWERSTAR.

RecordedFuture

https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf