In a sophisticated cyber-espionage campaign, the Iranian state-sponsored hacker group known as APT42 has been impersonating reputable news outlets and think tanks to target journalists, researchers, and activists in Western countries and the Middle East.
The APT42
According to researchers at Mandiant, APT42’s primary goal is espionage, and they have been actively using social engineering techniques to gain access to victims’ networks.
An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period.
APT attacks are initiated to steal highly sensitive data rather than cause damage to the target organization’s network.
The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders.
APT42 uses highly targeted spear-phishing campaigns to gain access to personal or corporate email accounts. They build trust with their victims before attempting to steal credentials. A subset of APT42’s infrastructure serves as command-and-control (C2) servers for Android mobile malware. This malware tracks locations, monitors communications, and surveils individuals of interest to the Iranian government. While credential harvesting is their primary focus, APT42 also uses custom backdoors and lightweight tools for broader objectives beyond credential theft
Since 2021, APT42 has been masquerading as well-known news outlets such as The Washington Post, The Economist, and The Jerusalem Post in an ongoing campaign to harvest login credentials.
The hackers have been using typosquatting, acquiring web domains that closely resemble legitimate ones but contain slight errors or alterations. For instance, they have created fake website links such as “washinqtonpost[.]press” — where the “q” in the name is the deceptive element.
In a recent report released by Mandiant, a subsidiary of Google, it was revealed that APT42 has been targeting individuals by sending them fake links that redirect them to counterfeit Google login pages. Once individuals click on these links, their login credentials are harvested by the hackers.
Furthermore, APT42 has also impersonated U.S. research organizations, including the Aspen Institute and the Washington Institute, though there have been no reported compromises of these organizations. The group has been using social engineering tactics to gain the trust of their victims, often posing as journalists or event organizers to deliver malicious invitations to conferences or legitimate-looking documents.
One notable instance occurred in 2023 when APT42 posed as a senior fellow with the U.K. think tank, the Royal United Services Institute (RUSI), while attempting to spread malware to a nuclear security expert at a U.S.-based think tank focused on foreign affairs.
Methods Deployed by APT 42
The methods deployed by APT42 are highly sophisticated, leaving a minimal footprint that makes the detection and mitigation of their activities challenging for network defenders, according to Mandiant.
The group has also been observed exfiltrating documents and sensitive information from victims’ public cloud infrastructure, including the Microsoft 365 environment.
You May Also Like
- APT31 Charged for Cyberattack on Finland Parliament
- China’s Changing Tactics in Cyber Espionage: A Focus on Zero Day Exploit
- Doxxing: The Urgent Need for Awareness and Action
Between 2022 and 2023, APT42 targeted U.S. and U.K. legal services companies and nonprofits, highlighting the group’s broad range of targets.
Co-ordinated Efforts by Iranian Groups
Researchers have noted that APT42 overlaps with other Iran-linked operations labeled TA453, Charming Kitten, and Mint Sandstorm, indicating a coordinated effort by Iranian state-sponsored hackers to conduct cyber-espionage activities on a global scale.
Charming Kitten, also called APT35 (by Mandiant, Phosphorus or Mint Sandstorm by Microsoft, Ajax Security (by FireEye),and NewsBeef (by Kaspersky), is an Iranian government cyber warfare group, described by several companies and government officials as an advanced persistent threat.
As these threats continue to evolve, cybersecurity experts emphasize the importance of vigilance and robust cybersecurity measures to defend against such sophisticated attacks.
