Iranian hackers impersonate journalists in social engineering campaign
A hacking group linked to the intelligence wing of Iran’s Revolutionary Guard Corps impersonated journalists and human rights activists as part of a social engineering campaign, according to research released Wednesday by Mandiant and Google Cloud.
The news organizations impersonated in the operation include The Washington Post, The Economist and The Jerusalem Post, and Mandiant’s researchers assess that the campaign was carried out by the hacking crew known as APT42. The group also spoofed prominent Washington think tanks, including the Aspen Institute, the McCain Institute and the Washington Institute.
According to Mandiant, the Iranian hackers spoofed these organizations in order to send phishing lures to targets meant to harvest their credentials. In other cases, the attackers masqueraded behind generic login pages, file hosting services, and legitimate services like YouTube, Gmail, Google Meet and Google Drive.
“APT42 was observed posing as journalists and event organizers to build trust with victims through ongoing correspondence and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to Cloud environments,” wrote authors Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock and Jonathan Leathery.
Mandiant said there is no evidence that the spoofed organizations themselves were hacked or compromised in any way.
Wednesday’s report is the latest in a string of incidents in which Iranian hacking groups have used fake personas to trick their victims. Last year, SecureWorks detailed an effort by APT42 to use such personas and social media accounts to conduct phishing attacks on researchers around the world focused on Iran, including by inviting them to contribute to a forthcoming report from the Atlantic Council.
According to Mandiant, members of APT42, which is also known as Charming Kitten, TA453 and Mint Sandstorm or Mint Phosphorous, have been engaged in a widespread social engineering campaign since at least 2019.
The ultimate goal behind the efforts appears to be espionage, with the group using the stolen credentials to access the cloud environments of victim organizations and pilfer data of strategic interest to Tehran.
In one instance in February, a domain controlled by the group hosted a document apparently about women’s rights on DropBox and impersonated an Iranian filmmaker and a Fox News contributor to enhance the legitimacy of the lure. Another domain was used to host a decoy document on “The Secrets of Gaza Tunnels” in March, likely in an effort to play off interest in the ongoing Israel-Gaza conflict.
In many cases, the documents themselves were not laced with malware, something Mandiant said was likely an effort to establish a rapport with victim organizations and lay the groundwork for credential phishing. Once they obtained credentials, the actors bypassed multifactor authentication protections by creating cloned websites to capture MFA tokens and sending push notifications to victims.
That facilitated access to the victims’ Microsoft 365 cloud environments, where APT42 was able to steal data from OneDrive, Outlook emails and other documents related to Iranian geopolitical interests. The actor leveraged a mix of built-in features and open-source tools to obfuscate their presence in victim networks.
“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders,” the authors note.
While other Iranian threat groups have pivoted to disruptive and destructive attacks since the start of the Israel-Gaza conflict, Mandiant said APT42 has remained laser-focused on its traditional remit of intelligence collection from foreign targets.
