Iran-linked APT42 is behind more than 30 spy attacks

Iran-linked APT42 (formerly UNC788) is believed to be behind more than 30 cyber espionage attacks against activists and dissidents.

Experts attribute more than 30 cyber espionage attacks against activists and dissidents to Iran-linked APT42 (formerly UNC788).

The campaigns have been running since 2015 and aim to carry out information-gathering and surveillance operations against individuals and organizations of strategic interest to Tehran. Mandiant researchers pointed out that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO).

APT42’s TTPs overlap with another Iran-linked APT group tracked as APT35 (aka “Charming Kitten”, “Phosphorus”, Newscaster and Ajax Security Team) which made headlines in 2014 when the iSight experts have published a report describing the most elaborate Internet espionage campaign organized by Iranian hackers using social media.

Microsoft has been tracking threat actors since at least 2013, but experts believe the cyber espionage group has been active since at least 2011.

The APT group previously targeted medical research organizations in the United States and Israel in late 2020, and to target academics in the United States, France and the Middle East region in 2019.

They also have previously targeted human rights activists, the media industry and interfered in the US presidential elections.

APT42 focuses on highly targeted spear phishing and social engineering techniques. Its operations broadly fall into three categories, credential harvesting, surveillance operations, and malware deployment.

“Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher due to the group’s high operational tempo, visibility gaps caused in part through the group’s targeting of personal email accounts. and country-focused efforts, and numerous open-source industry reports of threat clusters likely associated with APT42. read it report edited by Mandiant.

APT42’s activity varies with changing Iranian government priorities and interests, including campaigns pursuing domestic and foreign opposition groups ahead of an Iranian presidential election. Mandiant researchers point out that APT42 reacts quickly to geopolitical changes by adjusting its operations.

“In May 2017, APT42 targeted the senior leadership of an Iranian opposition group operating from Europe and North America with spear phishing emails mimicking legitimate Google correspondence.” reads the report published by Mandiant. “The emails contained links to fake Google Books pages that redirected to login pages designed to steal credentials and two-factor authentication codes.”

The surveillance operations carried out by the APT group concerned the distribution of Android malware such as VINETHORN and PINEFLOWER. The attack chain begins with text messages sent to the victims, the malicious code makes it possible to spy on the recipients by recording audio and telephone calls, harvesting multimedia content and text messages and tracking geolocations.

In September 2021, the Iran-Linked group compromised a European government email account and used it to send a phishing email to nearly 150 email addresses associated with individuals or entities employed or affiliated with the civil society, government or intergovernmental organizations around the world. The bait email embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell backdoor.

“The group has shown its ability to quickly shift its operational focus as Iran’s priorities change over time with changing national and geopolitical conditions. We assess with great confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with Iran’s evolving operational requirements for intelligence gathering. conclude the researchers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, APT42)

Comments are closed.