Iran-backed hackers targeting activists, journalists, politicians - HRW

The hackers gained access to emails, cloud storage drives, calendars and contacts and exported data from victims' accounts.

Iranian flag and cyber code [Illustrative] (photo credit: PIXABAY)
Iranian flag and cyber code [Illustrative]
(photo credit: PIXABAY)

Hackers backed by the Iranian government have targeted activists, journalists, researchers, academics, diplomats and politicians working on Middle East issues in a phishing cyber attack, Human Rights Watch announced on Monday.

The investigation, conducted by HRW and Amnesty International's Security Lab, found that the phishing attack was likely being conducted by a group known as APT42, a group first identified by the Mandiant cyber security company in September.

Two HRW staff members and 18 other individuals are among the victims of the phishing operation.

The email and other sensitive data of a correspondent for a major US newspaper, a women's rights defender in the Gulf region and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon, have been compromised by APT42.

The hackers gained access to their emails, cloud storage drives, calendars and contacts and exported data from their accounts.

 A 3D printed Whatsapp logo is pictured on a keyboard in front of binary code in this illustration taken September 24, 2021. (credit: REUTERS/DADO RUVIC/ILLUSTRATION) A 3D printed Whatsapp logo is pictured on a keyboard in front of binary code in this illustration taken September 24, 2021. (credit: REUTERS/DADO RUVIC/ILLUSTRATION)

“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at HRW. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

What is APT42?

In a report in September, Mandiant assessed with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC). While its operations are similar to those of another IRGC-affiliated group known as APT35, Mandiant assessed that the two groups are separate.

APT42 in general also seems to line up with activity other cyber security bodies have referred to as TA453, Yellow Garuda and ITG18, as well as some of the activity attributed to a group referred to as Phosphorus.

According to Mandiant, APT42 has been active since 2015 and specializes in phishing and surveillance operations against individuals and organizations of strategic interest to Iran, including government officials, former Iranian political figures, Iranian dissidents, journalists and academics.

APT42 operates by using phishing and social engineering in order to build trust and rapport with victims in order to collect intelligence on them and those close to them. Think tanks, researchers, journalists, government officials, healthcare facilities, and the Iranian diaspora have been targeted in at least 14 countries, including Israel and the UAE, as part of APT42's activity.

Who did APT42 target in its latest operation?

In October, an HRW staff member working on the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon. The person the hackers impersonated previously worked for the think tank and the invitation had the same format as previous invitations from the think tank.

HRW found that the links sent by the person directed to a fake Microsoft login page that captured the user's email password and authentication code.

HRW and Amnesty International contacted the 18 individuals they found were targets of the campaign, with 15 of them responding and confirming that they had received the same WhatsApp messages between September 15 and November 25.

On November 23, a second HRW staff member received the same WhatsApp messages from the same number that contacted other targets.

While nearly all of the IP addresses used by the hackers to connect to the compromised accounts were from the Express VPN service, the investigators did find one Iranian IP address in Tehran that connected to one of the target's inboxes. The IP address may be the address of the attacker's own network as the attacker may have forgotten to enable their VPN before connecting.

The investigation also discovered that the same attackers had registered a domain to mimic that of an advocacy group based in the United States called United Against Nuclear Iran, which was targeted by the Iran-backed Charming Kitten (APT35) hacker group in November 2021.

The HRW and Amnesty International investigation additionally found that Google's security protections were not working adequately, with the individuals successfully targeted by the attack telling HRW that they did not realize their Gmail accounts had been compromised or that their data had been exported.

HRW advised Google to "promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks."

“In a Middle East region rife with surveillance threats for activists, it's essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region's embattled activists, journalists, and civil society leaders.”

Abir Ghattas, information security director at HRW

“In a Middle East region rife with surveillance threats for activists, it's essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region's embattled activists, journalists, and civil society leaders,” said Ghattas.

Similar attacks have targeted Israel in the past

In June, the Israeli cybersecurity firm Check Point reported that it was likely that Phosphorus was behind attempts to hack the emails of senior Israeli and American officials and executives, including former foreign minister Tzipi Livni and a former US ambassador to Israel.

That attack used emails impersonating a well-known former major general in the IDF and an American diplomat to lure in its targets.

In May, the Shin Bet revealed that Iranian hackers were attempting to lure Israeli businessmen and academics abroad in order to kidnap or harm them and to gather intelligence.

In that attack, the hackers also impersonated foreign and Israeli academics, journalists, reserve officers, businessmen and philanthropists and used the stolen identities and relevant cover stories in order to gather intelligence about Israelis and to lure them to locations abroad in order to kidnap or harm them.

The Shin Bet did not name the group behind that cyber operation.

Last year, the cybersecurity company Proofpoint reported that Phosphorus targeted senior medical professionals specializing in genetic, neurology and oncology research in the US and Israel in 2020.

In that attack, hackers used a Gmail account that was presented as belonging to prominent Israeli physicist and former president of the Weizmann Institute of Science, Daniel Zajfman.