Senior officials, current or former, journalists, activists, lobbyists, and senior think tank personnel are all targets of cyber threat actors working on behalf of the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).
Following the indictment that alleges Iranian nationals for a wide-ranging hacking conspiracy, the Federal Bureau of Investigation (FBI) released an advisory highlighting how Iranian threat actors choose and target their victims.
IRGC-sponsored threat actors rely heavily on a wide range of social engineering techniques to gain access to personal and business accounts.
They often impersonate professional contacts via email or messaging platforms, known as email service providers to solicit sensitive user security information. They often attempt to build conversations and trust before soliciting victims to access a document via a hyperlink, redirecting to a false email account login page used for credential harvesting.
Cybernews has previously reported on Iranian phishers masquerading as podcasters to target a prominent Jewish religious figure.
While IRGC often targets victims with links to Iranian and Middle Eastern affairs, more recently, the FBI has observed threat actors attacking persons associated with US political campaigns.
“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error,” the FBI advisory explains.
Iranian menaces do their homework before choosing social engineering tactics. Some of the other previous attempts included the following areas:
- Impersonations of known individuals, associates, and/or family members.
- Impersonations of known email service providers regarding account settings.
- Requests from impersonation accounts of well-known journalists for interviews.
- Conference invitations.
- Speaking engagement requests.
- Embassy events.
- Foreign policy discussions/opinions and article reviews.
- Current US campaigns and elections.
Successful compromise is often followed by suspicious logins to victim accounts from foreign or domestic IP addresses, the creation of message handling rules to forward emails, and the prevention of victims from receiving compromise notifications. Hackers connect unknown devices, applications, or accounts to victim accounts, exfiltrate and delete the messages, and attempt to access other accounts.
To appear legitimate, cyber actors create malicious domains resembling real institutions. In the past, they used such websites as atlantic-council[.]com, bitly[.]org[.]il, daemon-mailer[.]com and many others.
FBI and other authorities recommend precautionary measures tailored to recognize social engineering and spoofing attempts – be suspicious of any unsolicited contacts, links, especially shortened (such as bit.ly or tinyurl), files, and impersonations of legitimate services.
The advisory includes proposed enterprise-level mitigation measures, such as user training, email security controls, and multi-factor authentication.
Your email address will not be published. Required fields are markedmarked