Members of an infamous Iranian state-sponsored cyber espionage group are impersonating journalists in a wide-ranging social engineering campaign, says a new report.
According to research released Wednesday by Mandiant – an American cybersecurity firm – and Google Cloud, members of the Iranian hacking crew known as APT42 pretended to be journalists and human rights activists to steal credentials and access victim cloud environments.
The news organizations impersonated in the campaign include The Washington Post, The Economist, and The Jerusalem Post. The group also spoofed think tanks such as the Aspen Institute, the McCain Institute, and the Washington Institute.
“APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments,” said the researchers.
“Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran while relying on built-in features and open-source tools to avoid detection.”
As per Mandiant, APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. The latter group is responsible for monitoring and preventing threats to Iran – both foreign and domestic.
The group is also known for its extensive credential harvesting operations that are often accompanied by tailored spear-phishing campaigns and extensive social engineering.
In the case of attacking news organizations and think tanks, Iranian hackers masqueraded behind generic login pages, file hosting services, and legitimate services like YouTube, Google Drive, Gmail, and Google Meet.
For example, in March 2023, APT42 sent a spear-phishing email with a fake Google Meet invitation, allegedly sent on behalf of Mona Louri, a likely fake persona leveraged by APT42, claiming to be a human rights activist and researcher.
Upon entry, the user was presented with a fake Google Meet page and asked to enter their credentials, which were subsequently sent to the attackers.
According to Mandiant, there is no evidence that the spoofed organizations themselves were hacked or compromised in any way. Nevertheless, Iranian cyberespionage hackers have been rather active lately,
In February 2024, Mandiant warned that Iranian hackers have been posing as recruiters from Boeing and drone manufacturer DJI and targeting aerospace, aviation, and defense industries in countries such as Israel and the United Arab Emirates.
Your email address will not be published. Required fields are markedmarked