An Iranian state-sponsored group called APT42 has launched over 30 confirmed operations against various non-profit, education and government targets globally since 2015. The group’s end goal has revolved around harvesting credentials for personal and corporate email accounts in order to steal documents and research pertinent to Iran, and tracking the locations and communications of Iranian government dissidents.
Researchers with Mandiant said the group’s operations have included credential harvesting, surveillance campaigns and malware deployment. While the group’s activity is focused on the Middle East region, it has also targeted Western think tanks, journalists and government officials that oppose the Islamic Revolutionary Guard Corp (IRGC) regime, as well as former Iranian government officials. Mandiant researchers said they assess “with high confidence” that APT42 conducts espionage operations on behalf of the Iranian government due to this persistent targeting of high-priority victims both inside and outside of Iran.
“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the United States, the United Kingdom, and Israel, working on Iran-related projects,” said researchers with Mandiant in a Wednesday analysis. “Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.”
APT42 was previously tracked by Mandiant as UNC788. Mandiant uses the term “UNC,” or uncategorized, to mark a cluster of activity that is not yet ready to be classified as an APT. Once researchers understand more about UNC operations across the attack lifecycle and have associated the activity with a state-aligned program, they can then “graduate” these groups into an APT. Researchers also noted that APT42 is consistent with publicly reported activity clusters that include TA453, ITG18, Phosphorus and Charming Kitten.
“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the United States, the United Kingdom, and Israel, working on Iran-related projects."
Researchers have observed APT42 stealing credentials for corporate and personal email accounts, as well as collecting multi-factor authentication (MFA) codes to bypass authentication methods. For instance, in May 2017, the group sent spear-phishing emails to the senior leadership of an Iranian opposition group that was operating out of Europe and North America. The emails mimicked a legitimate Google correspondence, containing links to fake Google Books pages that then redirected victims to sign-in pages attempting to steal their credentials and MFA authentication codes.
These credential harvesting campaigns have involved sophisticated social engineering tactics, with APT42 in one case posing as a well-known journalist from a U.S. media organization and requesting an interview from a target, engaging them for 37 days before finally sending them the phishing landing page.
Outside of credential harvesting, APT42 has also used custom backdoors and tools that included publicly available code copied from GitHub projects, leading researchers to believe that APT42 may have limited in-house resources for malware development. Malware families that have been utilized include VBA-based dropper TabbyCat and reverse shell macro VbrevShell, custom reconnaissance tool PowerPost and PowerShell backdoor TameCat. These have been delivered via malicious documents sent through links in spear-phishing emails. Researchers also noted that APT42 has deployed Android mobile malware that is designed to track locations and monitor communications of victims.
In the coming years, researchers assessed “with high confidence” that APT42 will continue its espionage and surveillance operations that are "aligned with evolving Iranian operational intelligence collection requirements."
“We do not anticipate significant changes to APT42’s operational tactics and mandate given the long history of activity and imperviousness to infrastructure takedowns and a media spotlight on operational security failures,” said Mandiant researchers. “Nevertheless, the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions.”