Iran’s Islamic Revolutionary Guard Corps Intelligence Organization has, since at least 2015, run a sprawling cyberespionage and surveillance operation against people and organizations of interest to the Iranian government, including within the U.S., researchers with cybersecurity firm Mandiant said Wednesday.
Parts of this activity have been documented and analyzed publicly over the years by various governments and private information security firms, such as Microsoft’s analysis of an Iranian U.S. election interference operation in 2019 linked to a group it tracks as Phosphorus, or a 2021 analysis from Proofpoint detailing an Iranian effort it tracked as TA453 that targeted senior medical professionals in the U.S. and Israel.
Wednesday’s research pulls the various operations together under one organizational umbrella that Mandiant is referring to as APT 42. The group is characterized by targeted spear phishing campaigns and surveillance operations. The outfit also spends considerable time building rapport with victims in order to facilitate successful attacks, the researchers said, that can include delivering malware used to track location, recording phone conversations, accessing video and images and extracting entire SMS text inboxes.
The report comes amid a flurry of Iranian-linked cyber activity. On Wednesday, the government of Albania severed diplomatic relations with Iran after blaming it for a series of cyberattacks beginning in July. The U.S. has vowed to take action against Iran in response to the attack on Albania, a NATO ally of the U.S.
Iran has also been engaged in a persistent cyber tit-for-tat with Israel dating back to at least last summer that has reportedly included efforts to lure Israeli targets to fake events in an effort to kidnap and harm them.
The cyber activity in support of those operations is perhaps most concerning about APT 42’s work, Mandiant Vice President of Intelligence John Hultquist told CyberScoop ahead of the report’s release.
“The agency behind these actors is very dangerous,” Hultquist said. “When we talk about cybersecurity, and who we’re protecting and what we’re protecting, there aren’t many risks that are more serious than somebody’s life being in danger that we deal with. And that’s definitely what could be on the table here.”
APT 42 targeting patterns focus largely on the Middle East region, the researchers said, but what distinguishes APT 42 activity is the targeting of “organizations and individuals deemed opponents or enemies of the regime, specifically gaining access to their personal accounts and mobile devices. The group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad.”
APT 42 also supports broader Iranian intelligence needs, the analysis concludes, such as targeting the pharmeceutical sector at the onset of the COVID-19 pandemic in March 2020, and pursuing domestic and foreign-based opposition groups prior to recent Iranian presidential elections.
“This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran,” the researchers said.
The analysts added that the group may also be connected with Iranian-linked ransomware activity, based on Microsoft’s 2021 analysis looking into the issue.
APT 42 remains “a threat to foreign policy officials, commentators, and journalists, particularly those in the United States, the United Kingdom, and Israel, working on Iran-related projects,” the researchers said. “Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.”