Proofpoint Studies Threat Actor's Multi-Persona Impersonation Technique
Industries: Medical, Nuclear | Level: Strategic | Source: Proofpoint
Proofpoint researchers identified a new social media impersonation technique the security firm dubbed Multi-Persona Impersonation (MPI), involving threat actors taking on at least two personas in a single email thread to increase the legitimacy of an email to lure victims. This technique has been utilized by threat group APT35 (aka Charming Kitten, TA453, or Phosphorus), starting as early as June 2022. Proofpoint's tracking of APT35 campaigns has established a typical campaign layout as "the threat actor masquerades as an individual, such as a journalist or policy adjacent individual, working to collaborate with the intended target. Historically, TA453 has targeted academics, policymakers, diplomats, journalists, and human rights workers. Benign conversations eventually leading to credential harvesting links are hallmarks of TA453 activity. Proofpoint observed limited instances of TA453 deploying malware." Emails distributed by APT35 attempt to masquerade as well-known or established individuals and use relevant geopolitical news to set up a strong pretext to entice victims. Samples observed by Proofpoint have identified targeted victims associated with Middle Eastern affairs specifically in medical and nuclear research. The latest MPI campaigns are mainly focused on intelligence collection.