Iranian government-backed hackers have targeted many high-profile activists, journalists, researchers, academics, diplomats and politicians working on Middle East issues. According to Human Rights Watch (HRW), the ongoing social engineering and credential phishing campaign is taking place through WhatsApp. HRW attributed the phishing attack to an organization linked to the Iranian government. APT42 Sometimes called TA453, Phosphorus, Charming Kitten. The cyber security firm was the first to identify the Iran-backed hacking group Mandiant In September 2022.
In an analysis conducted with Amnesty International’s Security Lab, HRW identified 18 victims targeted as part of the same campaign, and confirmed that 15 of these targets received the same WhatsApp messages between September 15 and November 25.
How APT42 Works
According to security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with its victims in order to access or install personal or corporate email accounts. Android Malware on their mobile devices. Additionally, APT42 rarely uses Windows malware to accomplish their credential harvesting and surveillance efforts.
APT42 operations are divided into three categories
Credential harvesting: APT42 targets corporate and personal email accounts through highly targeted spear-phishing campaigns, with an emphasis on building trust and rapport with the target before attempting to steal their credentials. Mandiant also has indications that it leverages group credential harvesting to gather multi-factor authentication (M.F.A) codes to bypass authentication methods, and used compromised credentials to gain access to the networks, devices, and accounts of the first victim’s employers, coworkers, and relatives.
Surveillance Operations: At least as late as 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware for government, including activists and rebels, in Iran.
Also read this
Malware Deployment: While APT42 primarily prefers credential harvesting over on-disk operation, several custom backdoors and lightweight tools complement its arsenal. The group may incorporate these tools into their operations when their goals extend beyond credential harvesting.
Mandiant observed 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is certainly much higher based on the group’s high operational tempo and visibility gaps caused by the group’s targeting of individual email accounts. Domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.