Iran government-supported hackers have recently targeted many high-profile activists, journalists, researchers, academics, diplomats, and politicians who have been working on Middle East issues. This credential phishing is being done via WhatsApp. The Human Rights Watch has linked this phishing attack with an entity affiliated with the Iranian government known as APT42. It is sometimes called TA453, Phosphorus, and Charming Kitten. This Iran-based hacking group was first identified by cybersecurity firm Mandiant in September 2022. Basically, Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.
HRW has identified 18 victims who have been targeted as part of the same campaign, and 15 of these people have confirmed that they had received the same WhatsApp messages between September 15 and November 25.
According to the analysis by security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with victims to get their personal/corporate email accounts or to install Android malware on their smartphones. It uses Windows malware to boost credential harvesting and surveillance efforts.
Operations of APT42
There are 3 categories of operations-
Credential Harvesting- APT42 mostly targets corporate and personal email accounts through high-powered phishing campaigns with an emphasis on building trust and rapport with the target before attempting to steal the credentials. It also collects Multi-Factor Authentication codes to bypass authentication methods and uses compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.
Surveillance Operations- Till late 2015, a subset of APT’s 42 infrastructure served as command-and-control servers for Android mobile malware that aimed to track locations, monitor communications, and surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.
Malware deployment- While APT42 mostly prefers credential harvesting over activity on disk, it does rely on some lightweight tools and backdoor customs as well. These tools are included in the operations when the objectives extend beyond credential harvesting.
Over 30 confirmed targets by APT42 have been identified by Mandate. The total intrusions are higher based on the group’s high operational tempo, visibility gaps caused partly by group’s targeting of personal email accounts and partly by domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.