Iranian cyber espionage group 'APT42' targets Iranian opposition - report

APT42 impersonated journalists and researchers in order to lure victims in and access their accounts.

 A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO)
A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017.
(photo credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO)

An Iran-backed cyber espionage group known as APT42 is believed to be behind a series of cyberattacks on organizations and individuals opposed to the Iranian government going as far back as 2015, according to a new report by the Mandiant cyber security company published on Wednesday.

According to Mandiant, the group uses phishing and social engineering in order to build trust and rapport with victims in order to collect intelligence on them and those close to them.

While many Iran-backed hacker groups focus on targeting the defense industries of foreign nations or collecting personal information, APT42 largely focuses on targeting organizations or individuals opposed to the Iranian regime.

Think tanks, researchers, journalists, government officials, healthcare facilities, and the Iranian diaspora have been targeted in at least 14 countries, including Israel and the UAE, as part of APT42's activity.

The group's activity seems to evolve as Iranian priorities change, according to Mandiant. During the COVID-19 pandemic, the group targeted the pharmaceutical sector in 2020. Ahead of an Iranian presidential election, the group targeted domestic and foreign-based opposition groups.

 Flag of Iran in the Nishapur Railway Station square (credit: Wikimedia Commons) Flag of Iran in the Nishapur Railway Station square (credit: Wikimedia Commons)

APT42's ways of attack

In multiple attacks, the group presented victims with a fake Gmail login page in order to harvest the targets' credentials.

APT42 often attempts to lure in its victims by impersonating journalists or researchers and conducting extended conversations with the targets before sending the malicious link.

In one attack, the group used a compromised email account belonging to a US-based think tank employee to target Middle East researchers at other organizations, US government officials, a former Iranian government official and members of an Iranian opposition group.

In another attack, the group impersonated a legitimate British news organization to target political science professors.

APT42 also uses mobile malware to surveil and monitor individuals of interest to the Iranian government, including members of Iranian opposition groups. Some of the attacks targeted people in Iran, including individuals with ties to universities, reformist political groups and human rights activists.

The group was able to record phone calls, activate the phone's microphone and record audio, extract images and take pictures on command and track the targets' location.

According to Mandiant, it is fairly certain that APT42 is operating on behalf of the Iranian government and there are strong indicators that the group is linked to the Islamic Revolutionary Guard Corps (IRGC).

APT42 in general seems to line up with activity other cyber security bodies have referred to as TA453, Yellow Garuda and ITG18, as well as some of the activity attributed to groups referred to as Phosphorus and Charming Kitten.

Past attacks linked to and similar to APT42

In June, the Israeli cybersecurity firm Check Point reported that it was likely that Phosphorus was behind attempts to hack the emails of senior Israeli and American officials and executives, including former foreign minister Tzipi Livni and a former US ambassador to Israel.

That attack used emails impersonating a well-known former major general in the IDF and an American diplomat to lure in its targets.

In May, the Shin Bet revealed that Iranian hackers were attempting to lure Israeli businessmen and academics abroad in order to kidnap or harm them and to gather intelligence.

In that attack, the hackers also impersonated foreign and Israeli academics, journalists, reserve officers, businessmen and philanthropists and used the stolen identities and relevant cover stories in order to gather intelligence about Israelis and to lure them to locations abroad in order to kidnap or harm them.

The Shin Bet did not name the group behind that cyber operation.

Last year, the cybersecurity company Proofpoint reported that Phosphorus targeted senior medical professionals specializing in genetic, neurology and oncology research in the US and Israel in 2020.

In that attack, hackers used a Gmail account that was presented as belonging to prominent Israeli physicist and former president of the Weizmann Institute of Science, Daniel Zajfman.