Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788).
They conducted the campaigns in 2015 and aimed at conducting information collection and surveillance operations against individuals and organizations of strategic interest to Teheran.
Mandiant researchers pointed out that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO).
Iran Hackers Actions Tracked By Top Research Team
APT42’s TTP overlap with another Iran-linked APT group tracked as APT35 which made headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019.
They have also previously targeted human rights activists and the media sector and interfered with US presidential elections.
APT42 focuses on highly targeted spear-phishing and social engineering techniques, and its operations broadly fall into three categories: credential harvesting, surveillance operations, and malware deployment.
Spanning Number of APT42 Operations Targeting Open Source Industry and Personal Email
Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo.
However, visibility gaps were caused in part by the group’s targeting of personal email accounts, domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.
APT42 activity varies according to the evolution of priorities and interests of the Iranian government, including campaigns pursuing domestic and foreign-based opposition factions.
Moreover, the attack chain starts with text messages sent to the victims, the malicious code allows spying on the recipients by recording audio and phone calls, harvesting multimedia content and SMSes, and tracking geolocations.
the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time amid evolving domestic and geopolitical conditions.
We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.
