An Iranian government-backed threat actor has been sending phishing messages to current and former government officials, political campaign workers, diplomats and employees at think tanks, non-government organizations and academic institutions in the U.S. and Israel.
The known Iranian state-sponsored group, APT42, has launched dozens of confirmed operations against various non-profit, education and government targets globally since 2015. Most recently, researchers on Wednesday said the group has launched an “aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities.” These campaigns also leveraged phishing tools like the GCollection/LCollection/YCollection credential harvesting tool and DWP browser-in-the-browser phishing kit.
“In the past six months, the U.S. and Israel accounted for roughly 60% of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns,” according to Google’s Threat Analysis Group on Wednesday.
APT42 has used many different tactics in their phishing campaigns over the years, with the end goal of harvesting credentials for personal and corporate email accounts in order to steal documents, research and information pertinent to Iran. One of these tactics, as seen in its most recent campaigns against entities in the U.S. and Israel, is the abuse of services like Google Drive, Gmail, Dropbox or OneDrive in order to host malware or create phishing pages. Google has worked to stomp out some of the infrastructure abusing its own sites and services, saying that over the course of six months it has disrupted attacker-created Google Sites in more than 50 campaigns.
“In the course of our work to disrupt APT42, TAG reset any compromised accounts, sent government-backed attacker warnings to the targeted users, updated detections, disrupted malicious Google Sites pages, and added malicious domains and URLs to the Safe Browsing blocklist — dismantling the group’s infrastructure,” researchers said.
“As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.”
As part of this campaign, APT42 has more intensely targeted users in Israel. In April, the group specifically started to seek out people with connections to Israel’s military and defense sectors. For example, Google said it took down multiple attacker-created Google Sites pages pretending to be a petition from the Jewish Agency for Israel, a legitimate non-profit entity, which included URLs that would redirect users to phishing pages. In another attack, the threat group pretended to be a journalist and used social engineering tactics to attempt to gain the trust of former Israel military officials and an aerospace executive.
“The emails were sent from accounts hosted by a variety of email service providers, and did not contain malicious content,” said researchers. “These emails were likely meant to elicit engagement from the recipients before APT42 attempted to compromise the targets. Google suspended identified Gmail accounts associated with APT42.”
In other attacks, the threat group targeted accounts associated with both the Biden and Trump presidential campaigns. As recently reported, this campaign successfully breached accounts across multiple email providers, including the compromise of a personal Gmail account for a high-profile political consultant. However, these targeted attacks are part of a broader wave of campaigns against U.S. targets, including ones against U.S. military members that used typosquatting methods (leveraging the domain understandingthewar[.]org to impersonate the legitimate Institute for the Study of War, for instance).
Looking ahead, researchers said that APT42 shows “no signs of stopping their attempts to target users and deploy novel tactics.”
“This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S.,” said researchers. “As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.”