Share this article on:
Cyber security experts have reportedly observed hackers from an Iranian state-sponsored threat group posing as journalists as part of a social engineering threat campaign.
American cyber security firm Mandiant released a joint report with Google Cloud this week, which said that hackers from the Iranian state-sponsored cyber espionage group APT42 were imitating journalists and human rights activists in an effort to pry credentials for cloud operations and gain access to them for data exfiltration.
“APT42 was observed posing as journalists and event organisers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents,” Mandiant said on the Google Cloud blog.
“These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments.
“Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran while relying on built-in features and open-source tools to avoid detection.”
According to the blog post, Mandiant believes that APT42 operates “on behalf of the Islamic Revolutionary Guard Corps Intelligence Organisation (IRGC-IO)”.
“APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest,” it said.
News outlets impersonated by APT42 include the US’ The Washington Post, the UK’s The Economist, Israel’s The Jerusalem Post, Azerbaijan’s Azadliq, the UAE’s Khaleej Times and more.
Threat actors reportedly use what Mandiant called “typosquatted” domains, which are domains that look very similar to real or legitimate domains but have small, hard-to-detect differences to convince the victim that they are legitimate, such as “washinqtonpost[.]com, which swaps the g for a q.
The links sent in these social engineering attacks often angled to appear as legitimate news articles but then redirect the user to fake Google login pages to harvest entered credentials. This campaign began in 2021 and is still active today.
In addition to posing as journalists, Mandiant has observed threat actors posing as legitimate services with generic login pages for YouTube, file hosting services and more to gain credentials from targets deemed a “threat to the Iranian regime”.
Mandiant said that alongside attempts to gain access to cloud storage, APT42 has been observed using a pair of malware-based backdoors, which it delivers through social engineering techniques such as spear phishing.
The two backdoors, NICECURL and TAMECAT, are designed to allow the threat actors with initial access to victim systems “that might be used as a command execution interface or as a jumping point to deploy additional malware”, Mandiant added.
Mandiant said there is no evidence that the organisations that were impersonated were ever hacked themselves. However, organisations should be cautious of increased Iranian cyber threats, particularly due to current tensions surrounding Iran and the conflict between Israel and Palestine.
In an earlier report, Mandiant said it had observed Iranian hackers imitating Boeing and DJI recruiters to target the aerospace and aviation industries in the UAE and Israel, among other countries.