Hackers with ties to the Iranian government have been linked to an ongoing social engineering and credential phishing campaign directed against human rights activists, journalists, researchers, academics, diplomats, and politicians operating in the Middle East.
Human Rights Watch (HRW) said in a report released on Monday that at least 20 people were believed to have been targeted and that the malicious activity was attributed to a hostile group tracked as APT42. says. ).
The campaign compromised the emails and other sensitive data of three of the targets. This included Nicholas Noe, a correspondent for a major U.S. newspaper, a Gulf-based women’s rights advocate, and his consultant advocacy for Lebanon-based Refugees International.
The digital intrusion required gaining access to emails, cloud storage, calendars, contacts, and the entire data associated with Google accounts in the form of archived files through Google Data Export.
“Iranian state-run hackers are actively using sophisticated social engineering and credential harvesting tactics to target Middle East-focused We have access to confidential information and contacts held by civil society organizations.”
The infection chain begins when the target receives a suspicious message on WhatsApp. Under the pretext of inviting the target to a meeting, it tricked the victim into clicking a specially crafted malicious URL spoofing login pages for Microsoft, Google, and Yahoo! and entering their credentials. did.
These phishing pages can also coordinate adversary (AiTM) attacks, which can compromise accounts protected by two-factor authentication (2FA) other than hardware security keys.
According to an international non-governmental organization, 15 of the targeted celebrities have been confirmed to have received the same WhatsApp message between September 15th and November 25th, 2022.
HRW further pointed out Google’s lack of security protections, saying victims of phishing attacks were “unaware that their Gmail accounts had been compromised or that Google data export had been initiated. One of the reasons was , because the security warning under Google’s Account Activity does not push or display persistent messages.” Send a notification to the user’s inbox or send her a message pushed to her Gmail app on the phone. ”
The option to request data from Google Data Export is alongside a .NET-based program called HYPERSCRAPE that was first documented by Google’s Threat Analysis Group (TAG) in early August of this year, but HRW said this He said he was unable to verify if the tool was actually used for this. specific incident.
Attribution to APT42 is based on the duplication of the source code of the phishing page and the source code of another spoofed registration page. An unnamed US think tank.
Recorded Future said late last month, “This threat activity likely represents a broader campaign that leverages shortened URLs to direct victims to malicious pages and steal credentials.” said. “This tradecraft is common among Iran-related Advanced Persistent Threat (APT) groups such as APT42 and Phosphorus.”
Additionally, the same source code was connected to another domain and used as part of a social engineering attack by the Charming Kitten group, which was destroyed by Google TAG in October 2021.
Mandiant said APT35 and APT42 are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), but noted that the latter targets individuals and groups for “domestic politics, foreign policy and regime stability purposes.” worth keeping.
“In the Middle East, where the threat of surveillance against activists is prevalent, digital security researchers will not only publish and promote their findings, but also protect struggling activists, journalists and civil society leaders in the region. It is imperative to prioritize the