An ongoing and extensive international cyber espionage campaign targeting human rights activists, well-known journalists, diplomats, and politicians working in the Middle East region has been uncovered by Human Rights Watch (HRW) researchers.
The organization said in the report released on Monday that hackers backed by the Iranian government have targeted at least 20 people in an ongoing social engineering and credential phishing campaign.
The advocacy organization’s joint technical analysis was conducted alongside Amnesty International’s Security Lab. It attributed the campaign – with high confidence – to a hacking group that numerous specialist companies, including Google, Mandiant, Recorded Future, and Proofpoint, have said is sponsored by the Iranian government.
The group is known as APT42 and is sometimes referred to as Charming Kitten. According to researchers, APT42 seeks access to sensitive information and contacts around the region.
HRW says its investigation shows hackers have successfully compromised the email and important data of at least three targeted victims – a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.
The attackers, called persistent by the Threat Analysis Group, a cybersecurity watchdog, gained access to the victims’ emails, cloud storage drives, calendars, and contacts. They also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.
“This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region,” Abir Ghattas, information security director at HRW, said.
HRW also called for Google to “promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks.”
The campaign was uncovered when, in October 2022, an HRW staff member working in the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon, inviting them to a conference.
The investigation soon revealed that the phishing links sent via WhatsApp, once clicked, directed the target to a fake login page that captured the user’s email password and authentication code. Additional targets were then also identified.
HRW and Amnesty International contacted the 18 high-profile individuals identified as targets of this campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at some point between September 15 and November 25, 2022.
Social engineering and phishing attempts remain key components of Iranian cyberattacks. Since 2010, Iranian operators have targeted members of foreign governments, militaries, and businesses, as well as political dissidents and human rights defenders.
Over time, these attacks have become more sophisticated in the ways they execute what is known as “social engineering.” Mandiant also says APT42 also likes to deploy malware in operations when its objectives extend beyond credential harvesting.
More from Cybernews:
Subscribe to our newsletter