A hacker group related to the intelligence wing of Iran’s Revolutionary Guards impersonated journalists and human rights activists as a part of a social engineering marketing campaign, in response to findings printed Wednesday by Mandiant and Google Cloud.
News organizations impersonated within the operation included The Washington Post, The Economist, and The Jerusalem Post, which Mandiant researchers consider was carried out by a hacking group often known as APT42. I’m evaluating it. The group additionally impersonated distinguished Washington assume tanks, together with the Aspen Institute, the McCain Institute, and the Washington Institute.
According to Mandiant, Iranian hackers impersonated these organizations to ship phishing lures to targets supposed to gather their credentials. In different circumstances, attackers spoofed widespread login pages, file internet hosting companies, and bonafide companies similar to YouTube, Gmail, Google Meet, and Google Drive.
Mandiant stated there isn’t any proof that the impersonation group itself was hacked or compromised in any manner.
Wednesday’s report is the newest in a collection of incidents by which Iranian hacker teams used faux personas to deceive victims. Last yr, SecureWorks introduced that APT42 was utilizing such personas and social media accounts to have interaction researchers all over the world centered on Iran, together with inviting them to contribute to an upcoming Atlantic Council report. We detailed our efforts to hold out phishing assaults.
According to Mandiant, members of APT42, also called Charming Kitten, TA453, Mint Sandstorm or Mint Phosphorous, have been engaged in an intensive social engineering marketing campaign since no less than 2019.
The final objective behind this effort seems to be espionage, with the group utilizing the stolen credentials to entry the sufferer organizations’ cloud environments and steal information of strategic significance to Tehran.
In many circumstances, the paperwork themselves weren’t laced with malware, however Mandiant stated they had been doubtless an effort to ascertain a relationship with the sufferer group and lay the groundwork for credential phishing. Once the attackers obtained the credentials, they created a cloned web site to acquire her MFA tokens and bypassed multi-factor authentication protections by sending push notifications to the sufferer.
This supplied quick access to the sufferer’s Microsoft 365 cloud setting, permitting APT42 to steal information from OneDrive, Outlook emails, and different paperwork associated to Iran’s geopolitical pursuits. The attackers used a mix of built-in capabilities and open-source instruments to obfuscate their presence inside the sufferer’s community.
Mandiant stated that whereas different Iranian risk teams have shifted their focus to damaging assaults for the reason that outbreak of the Israel-Gaza battle, APT42 stays centered on its conventional mission of gathering intelligence from overseas targets. He stated he was leaving it there.
By Derek B. Johnson Derek B. Johnson is a reporter for CyberScoop, protecting cybersecurity, elections, the federal authorities, and extra. Prior to that, since 2017, he has supplied award-winning protection of his information on cybersecurity throughout the private and non-private sectors in numerous publications. Derek holds a bachelor’s diploma in print journalism from Hofstra University in New York and a grasp’s diploma in public coverage from George Mason. University of Virginia.