Iran-linked APT42 is behind more than 30 espionage attacks Security Matters

Iran-linked APT42 (formerly UNC788) is suspected of being behind more than 30 cyber espionage attacks against activists and dissidents.

Experts blame Iran-linked APT42 (formerly UNC788) for more than 30 cyber espionage attacks against activists and dissidents.

These campaigns have been ongoing since 2015 and are aimed at information-gathering and surveillance operations against individuals and organizations of strategic importance in Tehran. Mandiant researchers noted that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO).

APT42’s TTP overlaps with another Iran-linked APT group known as APT35 (aka “Charming Kitten,” “Phosphorus,” Newscaster, and Ajax Security Team) that made headlines in 2014 News, when iSight’s experts released a report describing the most detailed cyber-based espionage campaign organized by Iranian hackers using social media.

Microsoft has been tracking threat actors since at least 2013, but experts believe the cyberespionage group has been active since at least 2011.

The APT team previously targeted medical research organizations in the US and Israel in late 2020, and academics from the US, France and the Middle East in 2019.

They have also previously targeted human rights activists, the media sector, and interfered in the US presidential election.

APT42 focuses on highly targeted spear phishing and social engineering techniques, and its operations fall broadly into three categories, credential harvesting, surveillance operations, and malware deployment.

“Mandiant has observed more than 30 confirmed APT42 operations against these categories since early 2015. Based on the organization’s high operational cadence, the total number of APT42 intrusion operations is almost certainly much higher, and the visibility gap is partly due to this Efforts by organizations to target individual email accounts and domestic attention, and an extensive open-source industry report on threat clusters that may be associated with APT42.” Read the report published by Mandiant.

APT42 activities vary according to the evolution of the Iranian government’s priorities and interests, including the activities of domestic and foreign opposition groups in the run-up to Iran’s presidential election. The Mandiant researchers emphasized that APT42 responded quickly to geopolitical changes by adjusting its operations.

“In May 2017, APT42 targeted senior leaders of Iranian opposition groups operating in Europe and North America with spear-phishing emails imitating legitimate Google communications.” Read the report published by Mandiant. “The emails contained links to fake Google Books pages that redirected to login pages designed to steal credentials and two-factor authentication codes.”

The surveillance operations conducted by the APT group involved the distribution of Android malware such as VINETHORN and PINEFLOWER. The attack chain starts with a text message sent to the victim, and the malicious code allows to spy on the recipient by recording audio and phone calls, collecting multimedia content and text messages, and tracking geolocation.

In September 2021, Iran-linked groups compromised a European government email account and used the account to send emails to nearly 150 individuals or entities employed or affiliated with civil society, government, or intergovernmental organizations around the world address to send phishing emails.Decoy emails embed Google Drive links to malicious macro documents that lead to TAMECAT, a PowerShell toehold backdoor

“As Iran’s priorities evolve over time with domestic and geopolitical conditions, the group has demonstrated its ability to rapidly change the focus of its operations. We assess with high confidence that APT42 will continue to evolve in accordance with of Iran’s operational intelligence collection requires the conduct of cyber espionage and surveillance operations,” the researchers concluded.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(security affairs Hacking, APT42)

Leave a Comment

Your email address will not be published.