Mandiant links APT42 to Iranian 'terrorist org'
'It's hard to imagine a more dangerous scenario,' Mandiant Intel VP told The Reg
Mandiant has named a new threat group, APT42, that it says functions as the cyberspy arm of Iran's Islamic Revolutionary Guard Corps (IRGC), which has plotted to murder US citizens including former National Security Advisor John Bolton.
While its financial backers turn their attention to assasination attempts and other terrorist activities, APT42 favors selective spear-phishing to target corporate and personal email accounts, according to the Google-owned threat intel business.
Since at least 2015, the group has used these campaigns to harvest credentials and install Android spyware on victims' mobile devices, which they then use to track locations, monitor communications and otherwise surveil the activities of anyone deemed a threat to the Iranian government.
Its victims span at least 14 countries — the US, Australia, and those in Europe and the Middle East among them — and have included government officials, former Iranian policymakers, members of the Iranian diaspora and opposition groups, journalists and academics, according to Mandiant's research [PDF], published today.
According to Mandiant Intelligence VP John Hultquist, this group is especially dangerous because of its ties to the IRGC.
"The IRGC has been associated with everything from DDoS to physical destruction, assassinations, threats to safety and lives," he said, in an interview with The Register. "And APT42 appears to be supporting them as they physically track people, so it's hard to imagine a more dangerous scenario."
Mandiant says it can confirm more than 30 targeted APT42 operations involving credential harvesting, surveillance and malware deployment since 2015. However, the total number of breaches "is almost certainly much higher," according to the report.
The group often tries to build rapport with its targets by impersonating journalists or researchers and engaging the victims for days or even weeks before sending a malicious link.
- 77% of security leaders fear we're in perpetual cyberwar from now on
- Iran-linked Cobalt Mirage extracts money, info from US orgs – report
- Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one
- Google, YouTube ban election trolls ahead of US midterms
In February, APT42 impersonated a British news organization to invite political science professors in Belgium and the United Arab Emirates with ties to Iran to a phony online interview via a customized PDF document with an embedded link to a Gmail credential harvesting page, Mandiant's threat intel team detailed in the research.
Also, between March and June 2020, during the height of the COVID-19 pandemic, the group attempted to steal personal email credentials from "high-profile individuals in the US pharmaceutical industry" by impersonating a University of Oxford vaccinologist and using a similar credential harvesting scheme designed to look like Gmail and Yahoo email services.
We see you, Charming Kitten
In its research, Mandiant says the Iranian threat group's activity "generally corresponds" with crime gangs tracked as TA453 (Proofpoint), Yellow Garuda (PwC) and ITG18 (IBM). It also shares similarities with the group Microsoft has dubbed Phosphorus and ClearSky, CERTFA and Google track as Charming Kitten.
And, in fact, Google's Threat Analysis Group (TAG) recently detailed an email-stealing malware attributed to Charming Kitten that corresponds to the campaigns outlined in the Mandiant report.
TAG dubbed the malware Hyperscrape, and said it is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine, and is able to iterate through the contents of a targeted inbox and individually download messages.
To hide its tracks, it can, among other things, delete emails alerting users to possible intrusions.
2020 US election interference
Additionally, in the lead-up to the US presidential election in 2020, Microsoft said it detected cyberattacks that it attributed to Phosphorus, targeting the personal email accounts of people associated with former president Donald Trump's campaign.
In light of this, and with the US midterm elections approaching, Hultquist suggests keeping an eye on APT42. "I wouldn't be surprised to find this group supporting some of the election intelligence requirements I'm sure the Iranian government has," he said.
It's also a reminder that Russian trolls aren't the only cybercriminals keen on sowing election-related chaos — or something more destructive.
"Unfortunately, Russia is not the only threat to our elections," Hultquist said. "There are few risks in cyber security that compare with having an organization like the IRGC reading your texts and emails, recording your calls, and tracking the location of your phone." ®