Cyber-espionage group APT42 uses spear phishing, surveillance operations in support of Iran’s strategic priorities

Mandiant disclosed details of an APT42 Iranian state-sponsored cyber espionage group that relies primarily on highly targeted social engineering efforts to achieve its objectives against individuals and organizations of interest to the Iranian government. The firm said that APT42 would continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.

APT42 operations include highly targeted spear phishing and surveillance operations that have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran, Mandiant said in a report.

The firm assesses with high confidence that the hacker group is tasked with conducting information collection and surveillance operations. It also estimates with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO) based on targeting patterns aligned with its operational mandates and priorities.

APT42 has targeted various sectors, including civil society and nonprofits, education, governments, healthcare, legal and professional services, manufacturing, media and entertainment, and pharmaceuticals. It has targeted organizations in at least 14 countries since Mandiant’s first observation of its activity in 2015, including in Australia, Europe, the Middle East, and the U.S. 

Mandiant said that the targeting patterns for APT42 operations are similar to other Iranian cyber espionage actors, with a large segment of activity focused on the Middle East region. However, unlike other suspected IRGC-affiliated cyber espionage groups that have focused on targeting the defense industrial base or conducting a large-scale collection of personally identifiable information (PII), APT42 primarily targets organizations and individuals deemed opponents or enemies of the regime, specifically gaining access to their accounts and mobile devices. 

The group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad, Mandiant disclosed. In addition, some APT42 activity indicates the group alters its operational focus as Iran’s priorities evolve, which included targeted operations against the pharmaceutical sector at the onset of the COVID-19 pandemic in March 2020 and the pursuit of domestic and foreign-based opposition groups before an Iranian presidential election. “This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran,” it added.

The APT42 group operations fall into three categories – credential harvesting, surveillance operations, and malware deployment, Mandiant said. After gaining access, the group deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes.

“APT42 has a demonstrated ability to alter its operational focus as Iran’s priorities evolve over time,” according to Mandiant. “We anticipate APT42 will continue to conduct cyber espionage operations in support of Iran’s strategic priorities in the long term based on their extensive operational history and imperviousness to public reporting and infrastructure takedowns.”

Mandiant established that once successfully authenticated to a victim’s personal or corporate email account, APT42 registers its own Microsoft Authenticator application as a new MFA. In addition, APT42 uses a variety of primarily lightweight malware, some of which are based on publicly available scripts.

Active since at least 2015, APT42 has been characterized by highly targeted spear phishing and surveillance operations against individuals and organizations of strategic interest to Iran, according to Mandiant. The group’s operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran. 

APT42 operations are said to frequently target corporate and personal email accounts through highly targeted spear-phishing campaigns with an enhanced emphasis on building trust and rapport with the target before attempting to steal their credentials. Mandiant also indicates that the group uses credential harvesting to collect multi-factor authentication (MFA) codes from bypassing authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives.

As of late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran, Mandiant said. While APT42 primarily prefers credential harvesting over activity on disk, several custom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools into their operations when the objectives extend beyond credential harvesting. 

Mandiant has observed over 30 confirmed APT42 targeted operations spanning these categories since early 2015. However, the total number of APT42 intrusion operations is certainly much higher based on the group’s high operational tempo, visibility gaps caused partly by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.

Mandiant observes that APT42 has consistently targeted the personal email credentials, multi-factor authentication codes, mobile device location, and communication data of individuals of interest to the Iranian government. They can use this access to enable follow-on compromises of corporate networks such as Western think tanks, academics, media organizations, biomedical research, pharmaceutical companies, and governments. 

The group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, including Iranian dual-nationals, former government officials, dissidents inside Iran, and those who previously left the country, often out of fear for their safety, it added. 

“We do not anticipate significant changes to APT42’s operational tactics and mandate given the long history of activity and imperviousness to infrastructure takedowns and a media spotlight on operational security failures,” Mandiant evaluated. “Nevertheless, the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions.”

The Mandiant report comes at the same time as the U.S. and U.K. governments condemned the Iranian state for a series of cyber attacks on government infrastructure in Albania that destroyed data and disrupted essential government services. The attacks were executed by Iranian state-linked hackers, who affected essential government services, including paying utilities, booking medical appointments, and enrolling schoolchildren, causing a significant impact on online public services and other government websites.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.