Iran-linked APT42 Actively Targets Key Entities in Middle East

Campaign strategy

• According to the report, the group has launched a broader campaign that makes use of a fake URL shortener mimicking the name of the legitimate URL shortener cutt[.]ly.
• The phishing link is distributed via WhatsApp. Once clicked, it directs the target to a fake login page crafted to mimic Microsoft, Google, or Yahoo login pages.
• Once victims enter their credentials on the phishing page, attackers’ phishing kits (with MFA bypass features) get access to their email accounts and steal sensitive data and credentials.

Targeting key figures

• The campaign compromised emails and other sensitive data belonging to a major U.S. newspaper, a women's rights defender based in the Gulf region, and Nicholas Noe, a Lebanon-based advocacy consultant for Refugees International.
• In addition, experts found 18 high-profile individuals and Human Rights Watch staff members as targets of this campaign, including six journalists.
• Most individuals confirmed that they received the exact same Whatsapp message—between September and November—from the same number that contacted other targets.

Post-compromise actions

• Attackers gained access to the targets’ emails, cloud storage drives, calendars, and contacts, almost immediately after the compromise.
• In addition, they synchronized the compromised mailbox and leveraged the Google Takeout service to export data related to web searches, payments, travel and locations, and YouTube activity.
• Victims remain unaware of Gmail account compromise and a Google Takeout initiation, as they don’t receive any security warnings or notifications from Google due to immediate compromise.

The bottom line