Iran’s APT42 Linked to Cyberattack, Google Reveals

Google has joined Microsoft in disclosing information about Iran’s cyber activities following a recent wave of attacks that led to a data breach from Donald Trump’s campaign headquarters. Google’s Threat Analysis Group (TAG) confirmed that Iran, specifically its APT42 group, which is part of the Islamic Revolutionary Guard Corps (IRGC), is responsible for the incident.

TAG also reported that numerous other attacks had been thwarted prior to this incident. Iranian hacker activity surged noticeably in May, with ongoing attempts to attack the teams of President Joe Biden, Vice President Kamala Harris, and Donald Trump.

APT42 employs a phishing method identified by Google experts as “Cluster C.” This method, initiated in 2022, involves attempts to impersonate NGOs and services like “Mailer Daemon.” The attacks extensively use the Bitly link-shortening service, enabling the attackers to distribute phishing links to targeted individuals such as military and political figures, as well as academics. Recipients of these emails often encounter phishing pages disguised as registration forms for conferences or cloud service documents, allowing cybercriminals to steal credentials.

According to Google, in May and June, APT42 targeted the personal email accounts of approximately a dozen individuals associated with Joe Biden and Donald Trump, including current and former U.S. government officials and campaign participants.

Social engineering is also heavily utilized by APT42 in their attacks. One method involves creating fake video calls via fraudulent websites controlled by the attackers. Victims receive email invitations to participate in video calls, where they are prompted to enter credentials that are subsequently stolen. In most cases, the attackers impersonate Google Meet, though other fake Google sites have been used in over 50 different campaigns. TAG experts highlighted the need for caution when receiving links to Dropbox, OneDrive, and Skype, which are also used in such attacks.

In some instances, victims may receive PDF documents that appear innocuous at first glance. The goal of these documents is to gain the victim’s trust and move the communication to other platforms like Signal, Telegram, or WhatsApp, where the attackers attempt to persuade the victim to download credential-stealing tools.

The most advanced toolkit used by APT42, known as GCollection, has been under continuous development since January 2023. This kit ensures a “seamless” process, including features such as multi-factor authentication, device PIN codes, and one-time recovery codes for email platforms like Google, Hotmail, and Yahoo.

The reconnaissance methods employed by APT42 involve leveraging open sources and social networks to find personal email addresses that may be less secure than corporate accounts. Once access to an account is gained, the attackers add additional mechanisms for re-entry, including changing backup email addresses and using application-specific passwords that bypass multi-factor authentication.

Similar social engineering and phishing techniques are used by APT42 in attacks on Israeli officials in the military, defense, and academic sectors, as well as in NGOs. These attacks are often accompanied by fake petitions and fictitious journalists seeking comments from high-ranking officials to compromise their accounts.