Go to listing page

Iran-linked APT42 Actively Targets Key Entities in Middle East

Iran-linked APT42 Actively Targets Key Entities in Middle East
Iranian hacking group APT42, which is known to share overlaps with Charming Kitten (aka APT35 or Phosphorus), was recently found launching a social engineering and credential phishing campaign. The campaign targets human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East.

Campaign strategy

The international non-governmental organization Human Rights Watch (HRW) and Amnesty International’s Security Lab published a report about the recent APT42 activity.
  • According to the report, the group has launched a broader campaign that makes use of a fake URL shortener mimicking the name of the legitimate URL shortener cutt[.]ly.
  • The phishing link is distributed via WhatsApp. Once clicked, it directs the target to a fake login page crafted to mimic Microsoft, Google, or Yahoo login pages.
  • Once victims enter their credentials on the phishing page, attackers’ phishing kits (with MFA bypass features) get access to their email accounts and steal sensitive data and credentials.

Targeting key figures

  • The campaign compromised emails and other sensitive data belonging to a major U.S. newspaper, a women's rights defender based in the Gulf region, and Nicholas Noe, a Lebanon-based advocacy consultant for Refugees International.
  • In addition, experts found 18 high-profile individuals and Human Rights Watch staff members as targets of this campaign, including six journalists.
  • Most individuals confirmed that they received the exact same Whatsapp message—between September and November—from the same number that contacted other targets.

Post-compromise actions

  • Attackers gained access to the targets’ emails, cloud storage drives, calendars, and contacts, almost immediately after the compromise.
  • In addition, they synchronized the compromised mailbox and leveraged the Google Takeout service to export data related to web searches, payments, travel and locations, and YouTube activity.
  • Victims remain unaware of Gmail account compromise and a Google Takeout initiation, as they don’t receive any security warnings or notifications from Google due to immediate compromise.

The bottom line

Various security companies have reported that APT42 is targeting Middle East-focused researchers, civil society groups, and dissidents for domestic politics, foreign policy, and regime stability purposes. The group’s focused approach highlights that individuals should avoid clicking on suspicious messages and links received from unknown sources and take extra security measures to safeguard against surveillance threats.
Cyware Publisher