Iran-linked APT42 is behind over 30 espionage attacks

Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents.

Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788).

The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against individuals and organizations of strategic interest to Teheran. Mandiant researchers pointed out that the APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO).

APT42’s TTPs overlap with another Iran-linked APT group tracked as APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team) which made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019.

They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.

APT42 focuses on highly targeted spear-phishing and social engineering techniques, its operations broadly fall into three categories, credential harvesting, surveillance operations, and malware deployment.

“Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.” reads the report published by Mandiant.

The APT42 activity varies according to the evolution of priorities and interests of the Iranian government, including campaigns pursuing domestic and foreign-based opposition groups prior to an Iranian presidential election. Mandiant researchers highlight that APT42 quickly reacts to geopolitical changes by adjusting its operations.

“In May 2017, APT42 targeted the senior leadership of an Iranian opposition group operating from Europe and North America with spear-phishing emails mimicking legitimate Google correspondence.” reads the report published by Mandiant. “The emails contained links to fake Google Books pages which redirected to sign-in pages designed to steal credentials and two-factor authentication codes.”

The surveillance operations conducted by the APT group involved the distribution of Android malware such as VINETHORN and PINEFLOWER. The attack chain starts with text messages sent to the victims, the malicious code allows spying on the recipients by recording audio and phone calls, harvesting multimedia content and SMSes, and tracking geolocations.

In September 2021, the Iran-Linked group compromised an European government email account and used it to send a phishing email to almost 150 email addresses associated with individuals or entities employed by or affiliated with civil society, government or intergovernmental organizations around the world. The bait email embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor

“the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions. We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT42)

[adrotate banner=”5″]

[adrotate banner=”13″]