APT42 Attack: What is it & how does it target high-profile activists

It can use personal as well as corporate information for hacking.

Main Image
  • Like
  • Comment
  • Share

Iran government-supported hackers have recently targeted many high-profile activists, journalists, researchers, academics, diplomats, and politicians who have been working on Middle East issues. This credential phishing is being done via WhatsApp. The Human Rights Watch has linked this phishing attack with an entity affiliated with the Iranian government known as APT42. It is sometimes called TA453, Phosphorus, and Charming Kitten. This Iran-based hacking group was first identified by cybersecurity firm Mandiant in September 2022. Basically, Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

HRW has identified 18 victims who have been targeted as part of the same campaign, and 15 of these people have confirmed that they had received the same WhatsApp messages between September 15 and November 25.

According to the analysis by security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with victims to get their personal/corporate email accounts or to install Android malware on their smartphones. It uses Windows malware to boost credential harvesting and surveillance efforts.

Operations of APT42

There are 3 categories of operations-

Credential Harvesting- APT42 mostly targets corporate and personal email accounts through high-powered phishing campaigns with an emphasis on building trust and rapport with the target before attempting to steal the credentials. It also collects Multi-Factor Authentication codes to bypass authentication methods and uses compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.

Surveillance Operations- Till late 2015, a subset of APT’s 42 infrastructure served as command-and-control servers for Android mobile malware that aimed to track locations, monitor communications, and surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.

Malware deployment- While APT42 mostly prefers credential harvesting over activity on disk, it does rely on some lightweight tools and backdoor customs as well. These tools are included in the operations when the objectives extend beyond credential harvesting.

Over 30 confirmed targets by APT42 have been identified by Mandate. The total intrusions are higher based on the group’s high operational tempo, visibility gaps caused partly by group’s targeting of personal email accounts and partly by domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.

Shivangi AgarwalShivangi Agarwal
Shivangi is an honours graduate in English from Delhi University with a passion for reading and writing. Always keen to know more about the latest gadgets, when she is not reading about tech, she loves listening to Hindi music and grooving to the latest Hindi beats.

Related Articles

ImageSmartprix People’s Choice Awards 2023: Vote for Your Favorite Smartphones, Smartwatches, and More

As we bid farewell to the smartphone launches that defined 2023, it’s time to reflect on the industry’s journey. The landscape witnessed a myriad of captivating releases, such as Apple pioneering the use of a 3nm chipset in their phones and OnePlus boldly venturing into the realm of foldable devices. Brands like Realme brought curved …

ImageOver 1.3 million Clubhouse app users data leaked; How to secure your account

The data of Clubhouse users, an invitation-only social media app on iOS, have been leaked on a hacker forum for free. For the uninitiated, the Clubhouse app allows users to create a room of up to 5000 people for audio communication. It’s been reported that the SQL records of over 1.3 million Clubhouse users have …

ImageFacebook data of over 533 million users leaked for free on a hacker forum

Facebook data of over 533 million users have been reportedly leaked online on a hacker’s forum. The horrifying part is that the said data has been made openly available for free.  The revelation comes from a news report that the Facebook data breach involves information of users from 106 countries around the world and over …

ImageiPhone Lockdown Mode: How to Enable iPhone Lockdown Mode to Protect Yourself from Targeted Phishing Attacks

Apple has introduced Lockdown Mode as a formidable weapon to safeguard users against sophisticated cyber-attacks. This advanced security feature unveiled in iOS 16, iPadOS 16, and macOS Ventura, is now an integral part of Apple’s security arsenal. As the tech giant extends its security net to politicians, journalists, and individuals in 150 countries, let’s dive …

ImageAMD Announces Threadripper 7000 CPUs, Offers Exceptional Performance For High-End Computers

After Intel, AMD announced its new lineup of high-end processors. These come under the Threadripper 7000 and Threadripper 7000 Pro series. While the former is for professionals or creatives, the latter targets enterprises with exceptional performance. Here are the key features of AMD’s latest lineup of processors. AMD Ryzen Threadripper PRO 7000 WX-Series Key Features …


Be the first to leave a comment.