Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Computing Giant Says APT42 Behind ‘Small But Steady Cadence’ of Phishing Emails
Iranian nation-state hackers are continuing a campaign to infiltrate the U.S. presidential election by penetrating the email inboxes of campaign and election officials, Google warned Wednesday.
The computing giant said the Iranian cyberespionage group it tracks as APT42 instigated in May and June “a small but steady cadence” of phishing emails aimed at roughly a dozen individuals affiliated with the then-reelection campaign for President Joe Biden as well as the campaign of Republican nominee Donald Trump.
See Also: Webinar | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The group successfully gained access to the personal Gmail account of a “high profile political consultant.” Reporting from mainstream outlets says Iranian hackers compromised the personal email account of longtime Republican and Trump operative Roger Stone.
The campaign hasn’t ceased, Google said. The company “continues to observe unsuccessful attempts from APT 42 to compromise the personal accounts of individuals affiliated with President Biden, Vice President Harris and former President Trump, including current and former government officials and individuals associated with the campaigns.” The FBI is investigating.
Google-owned threat intelligence company Mandiant said APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. Microsoft tracks overlapping hacking activity as Mint Sandstorm and earlier warned that Iranian operatives hacked the email account of “a former senior adviser” to a presidential campaign to send “a spear-phishing email to a high-ranking official” inside the campaign. The Trump campaign confirmed Saturday that hackers stole multiple documents, including a 271-page vetting report into Trump’s vice presidential running mate, JD Vance, a senator from Ohio (see: Trump Leak Likely a Harbinger of More Interference to Come).
In a statement to The Associated Press, the Iranian mission to the United Nations denied targeting presidential campaigns. “The Iranian government neither possesses nor harbors any intent or motive to interfere in the United States presidential election.”
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency warned that foreign election interference efforts have been intensifying as part of “broader efforts to undermine U.S. global standing, sow discord inside the United States, and influence U.S. voters and decision-making.” Federal prosecutors in 2021 indicted two Iranian nationals for a cyber-enabled campaign to intimidate and influence American voters during the 2020 presidential election.
Iranian hackers have a history of targeting U.S. infrastructure for motives that include extensive American support for Israel, which is embroiled in a 10-month war with Iranian-supported militants that’s devastated the Gaza Strip (see: Internet-Exposed Water PLCs Are Easy Targets for Iran). In a sign that no country is safe from the effects of cyberwar, London-based Persian-language news outlet Iran International on Thursday said on social media that the Central Bank of Iran underwent a cyberattack. The Saudi-linked outlet said the attack led to widespread disruptions to the country’s banking system.
Iranian Phishing Targets Go Beyond the Presidential Campaigns
APT42’s recent history of phishing campaigns isn’t limited to presidential campaigns. Google said it intensified in April its targeting of Israeli users, seeking out individuals with connections to the military and defense sector, as well as diplomats, academics and nongovernmental organizations.
It impersonated the Washington Institute for Near East Policy, a pro-Israeli think tank based in Washington, D.C., multiple times to target Israeli diplomats and journalists. It also uses typosquatted domains – web domains just a few characters off from a legitimate site – to lend credence to phishing emails, such as by using brookings.email
for spoof the Brookings Institution.
APT42 takes pains with its social engineering setups, sometimes delivering malicious links only after gaining enough trust to schedule an online meeting. A link to the meeting could prompt the user to a landing page, supposedly to log on to Google Meet or another platform. Other lures have involved OneDrive, Drobox and Skype.
Iranian hackers also made sure to find out which second-factor authentication targets might use. Often when they attempt to take control of an account through the account recovery process, the request comes from “the correct geographic location with the correct credentials and correct second factor for user authentication.”
The hacking group has a “sophisticated” credential harvesting tool – called GCollection, LCollection or YCollection – that’s been in operation since at least January 2023. The latest version transmits multifactor authentication code, device PINs and one-time recovery codes. The group also has a browser-in the-browser phishing kit called DWP that has fewer features than GCollection.