APT42 Attack: What is it & how does it target high-profile activists

It can use personal as well as corporate information for hacking.

Main Image
  • Like
  • Comment
  • Share

Iran government-supported hackers have recently targeted many high-profile activists, journalists, researchers, academics, diplomats, and politicians who have been working on Middle East issues. This credential phishing is being done via WhatsApp. The Human Rights Watch has linked this phishing attack with an entity affiliated with the Iranian government known as APT42. It is sometimes called TA453, Phosphorus, and Charming Kitten. This Iran-based hacking group was first identified by cybersecurity firm Mandiant in September 2022. Basically, Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

HRW has identified 18 victims who have been targeted as part of the same campaign, and 15 of these people have confirmed that they had received the same WhatsApp messages between September 15 and November 25.

According to the analysis by security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with victims to get their personal/corporate email accounts or to install Android malware on their smartphones. It uses Windows malware to boost credential harvesting and surveillance efforts.

Operations of APT42

There are 3 categories of operations-

Credential Harvesting- APT42 mostly targets corporate and personal email accounts through high-powered phishing campaigns with an emphasis on building trust and rapport with the target before attempting to steal the credentials. It also collects Multi-Factor Authentication codes to bypass authentication methods and uses compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.

Surveillance Operations- Till late 2015, a subset of APT’s 42 infrastructure served as command-and-control servers for Android mobile malware that aimed to track locations, monitor communications, and surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.

Malware deployment- While APT42 mostly prefers credential harvesting over activity on disk, it does rely on some lightweight tools and backdoor customs as well. These tools are included in the operations when the objectives extend beyond credential harvesting.

Over 30 confirmed targets by APT42 have been identified by Mandate. The total intrusions are higher based on the group’s high operational tempo, visibility gaps caused partly by group’s targeting of personal email accounts and partly by domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.

Shivangi AgarwalShivangi Agarwal
Shivangi is an honours graduate in English from Delhi University with a passion for reading and writing. Always keen to know more about the latest gadgets, when she is not reading about tech, she loves listening to Hindi music and grooving to the latest Hindi beats.

Related Articles

ImageUnpacking the specs & features of the 1st Samsung flagship of 2023- Galaxy S23 Ultra

It is that time of the year again! Yes, the time when Samsung launched its next Flagship S Series via the first Unpacked Event of 2023. Samsung Galaxy S23 Series includes 3 models- Galaxy S23, Galaxy S23+, and Galaxy S23 Ultra. While the vanilla and plus models are mostly similar in specs, it is the …

ImageOver 1.3 million Clubhouse app users data leaked; How to secure your account

The data of Clubhouse users, an invitation-only social media app on iOS, have been leaked on a hacker forum for free. For the uninitiated, the Clubhouse app allows users to create a room of up to 5000 people for audio communication. It’s been reported that the SQL records of over 1.3 million Clubhouse users have …

ImageFacebook data of over 533 million users leaked for free on a hacker forum

Facebook data of over 533 million users have been reportedly leaked online on a hacker’s forum. The horrifying part is that the said data has been made openly available for free.  The revelation comes from a news report that the Facebook data breach involves information of users from 106 countries around the world and over …

ImageMoto Edge+ with SD865 & Moto Edge with SD765 goes official

Motorola has launched two new phones. The brand enters flagship territory with the Moto Edge+ running on Snapdragon 865 and a high-profile repertoire. It is accompanied by a regular Moto Edge that helms Snapdragon 765 inside. The whole package is luxurious and likewise is the price tag. Let’s dig into their on-paper offering to see …

ImageGIMS is the Indian Govt’s WhatsApp alternative for Official Communication

Whatsapp hacks and privacy concerns have been headlining in recent times. But, the latest cases of Jeff Bezos and Israel NSO spy technology are deeply alarming. If thousands of high-profile users, including someone like Bezos, can be vulnerable, then what’s even data security for a civilian. In light of these concerns, the Government of India …


Be the first to leave a comment.