A recent report by Mandiant, a leading American cybersecurity firm, and Google Cloud has revealed that members of an infamous Iranian state-sponsored cyber espionage group, known as APT42, have been impersonating journalists and human rights activists to breach victim systems.
According to the research, APT42 pretended to be journalists from reputable news organizations such as The Washington Post, The Economist, and The Jerusalem Post, as well as think tanks like the Aspen Institute, the McCain Institute, and the Washington Institute.
The group’s tactics involved building trust with their victims through ongoing correspondence and delivering invitations to conferences or legitimate documents.
The researchers noted that APT42’s social engineering schemes enabled them to harvest credentials and gain initial access to cloud environments.
Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, relying on built-in features and open-source tools to avoid detection.
As per Mandiant, APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization, which is responsible for monitoring and preventing threats to Iran, both foreign and domestic.
The group is known for its extensive credential harvesting operations, often accompanied by tailored spear-phishing campaigns and extensive social engineering.
In the case of attacking news organizations and think tanks, Iranian hackers masqueraded behind generic login pages, file hosting services, and legitimate services like YouTube, Google Drive, Gmail, and Google Meet.
For example, in March 2023, APT42 sent a spear-phishing email with a fake Google Meet invitation, allegedly sent on behalf of Mona Louri, a likely fake persona leveraged by APT42, claiming to be a human rights activist and researcher.
Upon entry, the user was presented with a fake Google Meet page and asked to enter their credentials, which were subsequently sent to the attackers.
According to Mandiant, there is no evidence that the spoofed organizations themselves were hacked or compromised in any way.
It’s worth noting that Iranian cyberespionage hackers have been rather active lately. In February 2024, Mandiant warned that Iranian hackers have been posing as recruiters from Boeing and drone manufacturer DJI, targeting aerospace, aviation, and defense industries in countries such as Israel and the United Arab Emirates.
History of Iran Regime’s Hack and Cybercrime Activities:
Iran’s cyber warfare capabilities have been developing since the late 2000s. In 2010, Iran was targeted by the Stuxnet computer worm, which was designed to disrupt industrial control systems, particularly those used in Iran’s nuclear program. This attack is considered one of the first known examples of a cyber weapon being used to cause physical damage.
In response, Iran’s regime began investing heavily in building up its own cyber offensive capabilities. Some key events include:
- In 2012, Iranian hackers launched a cyberattack on Saudi Arabia’s state-owned oil company Aramco, wiping data from thousands of computers.
- In 2013, Iranian hackers breached the systems of the New York Times, stealing sensitive data and disrupting the newspaper’s operations.
- In 2014, Iran launched a cyberattack on the Las Vegas Sands casino, causing significant damage to the company’s systems and operations.
- In 2017, Iranian hackers breached the systems of the UK’s Parliament, gaining access to sensitive data and emails.
- In 2020, Iranian hackers breached the systems of the Israeli water authority, gaining access to sensitive data and disrupting water supply systems.
Iran’s regime has developed a range of sophisticated cyber offensive capabilities, including the ability to conduct espionage, disrupt critical infrastructure. Iran regime’s cyber program is believed to be run by a complex network of contractors and state-aligned actors, rather than a single centralized authority.
