APT42 Attack: What is it & how does it target high-profile activists

It can use personal as well as corporate information for hacking.

Main Image
  • Like
  • Comment
  • Share

Iran government-supported hackers have recently targeted many high-profile activists, journalists, researchers, academics, diplomats, and politicians who have been working on Middle East issues. This credential phishing is being done via WhatsApp. The Human Rights Watch has linked this phishing attack with an entity affiliated with the Iranian government known as APT42. It is sometimes called TA453, Phosphorus, and Charming Kitten. This Iran-based hacking group was first identified by cybersecurity firm Mandiant in September 2022. Basically, Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

HRW has identified 18 victims who have been targeted as part of the same campaign, and 15 of these people have confirmed that they had received the same WhatsApp messages between September 15 and November 25.

According to the analysis by security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with victims to get their personal/corporate email accounts or to install Android malware on their smartphones. It uses Windows malware to boost credential harvesting and surveillance efforts.

Operations of APT42

There are 3 categories of operations-

Credential Harvesting- APT42 mostly targets corporate and personal email accounts through high-powered phishing campaigns with an emphasis on building trust and rapport with the target before attempting to steal the credentials. It also collects Multi-Factor Authentication codes to bypass authentication methods and uses compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.

Surveillance Operations- Till late 2015, a subset of APT’s 42 infrastructure served as command-and-control servers for Android mobile malware that aimed to track locations, monitor communications, and surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.

Malware deployment- While APT42 mostly prefers credential harvesting over activity on disk, it does rely on some lightweight tools and backdoor customs as well. These tools are included in the operations when the objectives extend beyond credential harvesting.

Over 30 confirmed targets by APT42 have been identified by Mandate. The total intrusions are higher based on the group’s high operational tempo, visibility gaps caused partly by group’s targeting of personal email accounts and partly by domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.

Shivangi AgarwalShivangi Agarwal
Shivangi is an honours graduate in English from Delhi University with a passion for reading and writing. Always keen to know more about the latest gadgets, when she is not reading about tech, she loves listening to Hindi music and grooving to the latest Hindi beats.

Related Articles

ImageiQOO 13 Review: Multiple Steps Forward, Yet One Step Back

The flagship season has kicked off, and the iQOO 13 is here, powered by the Snapdragon 8 Elite chipset. This device prioritizes performance, while delivering a solid display, a 6,000 mAh battery, a 144 Hz 2K display, a few other flagship features. The camera setup is quite different from last year, though, with a smaller …

ImageOver 1.3 million Clubhouse app users data leaked; How to secure your account

The data of Clubhouse users, an invitation-only social media app on iOS, have been leaked on a hacker forum for free. For the uninitiated, the Clubhouse app allows users to create a room of up to 5000 people for audio communication. It’s been reported that the SQL records of over 1.3 million Clubhouse users have …

ImageFacebook data of over 533 million users leaked for free on a hacker forum

Facebook data of over 533 million users have been reportedly leaked online on a hacker’s forum. The horrifying part is that the said data has been made openly available for free.  The revelation comes from a news report that the Facebook data breach involves information of users from 106 countries around the world and over …

ImageiPhone Lockdown Mode: How to Enable iPhone Lockdown Mode to Protect Yourself from Targeted Phishing Attacks

Apple has introduced Lockdown Mode as a formidable weapon to safeguard users against sophisticated cyber-attacks. This advanced security feature unveiled in iOS 16, iPadOS 16, and macOS Ventura, is now an integral part of Apple’s security arsenal. As the tech giant extends its security net to politicians, journalists, and individuals in 150 countries, let’s dive …

ImageEpic Games Wins The Antitrust Lawsuit Against Google: Here’s What The Jury Decided

For a long time, Epic Games, the creator of the popular battle-royale video game Fortnite, and Google have been in a high-profile lawsuit where the former accused the latter of practicing control over the distribution services and unfairly exploiting its position. During the trial, several lesser-known facts, such as Google’s special deal with Spotify, came …

Discuss

Be the first to leave a comment.