Cybersecurity firm Mandiant has attributed over 30 cyber espionage attacks against activists and dissidents to the state-backed Iranian threat group APT42 (formerly UNC788) with activity dating back to 2015, at least.
Based on APT42’s activities, the researchers believe the hacking group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), not to mention shares partial overlaps with another Iran-linked APT group tracked as APT35 (aka Charming Kitten, Phosphorus, Newscaster, and Ajax Security Team).
The APT group has targeted multiple industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning across 14 nations, including in Australia, Europe, the Middle East, and the U.S.
“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK, and Israel, working on Iran-related projects,” reads the report published by Mandiant. "Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.”
The Iranian hackers are primarily focused on cyber-espionage, employing highly targeted spear-phishing and social engineering methodologies to access personal and corporate email accounts, or to deploy Android malware on mobile devices.
The APT group also has the capability of siphoning two-factor authentication codes to circumvent more secure authentication methods, and sometimes leverages this access to target employers, colleagues, and relatives of the initial victim. However, while credential theft is favored, the group has also deployed multiple custom backdoors and lightweight tools to target firms.
Last year in September, the Iranian hackers accessed a European government email account and exploited it to send a phishing email to nearly 150 email addresses linked with individuals or entities employed by or associated with civil society, government, or intergovernmental organizations across the globe. The phishing mail embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor.
Additionally, the researchers have uncovered multiple similarities in “intrusion activity clusters” between APT42 and another Iran-linked hacking group, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware.
“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant explained. "We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.”
