Iranian Threat Group Befriends VictimsAPT42 Operates on Behalf of the Islamic Revolutionary Guard Corps
An Iranian state-sponsored group in operation since 2015 relies on highly targeted social engineering attack individuals and organizations that Tehran deems enemies of the regime, says a new report from cyberthreat intelligence firm Mandiant.
Targets of the threat actor Mandiant newly dubs APT42 include members of the Iranian diaspora as well as Western think tanks, academics and media organizations. The threat actor operates on behalf of the Islamic Revolutionary Guard Corps' Intelligence Organization and appears to be trusted to quickly react to geopolitical changes and adjust to new targets of operational interest.
Mandiant says that the group's objective is twofold: It seeks to steal personal and corporate email account credentials and use them to steal personal or business documents and research pertinent to Iran.
The second objective is to track "the locations, monitor phone and email communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran."
The group builds rapport with its targets and engages in benign conversation for multiple days before sending a malicious link. APT42 operatives use compromised email accounts to impersonate trusted individuals. In spring of 2021, it used a compromised email account belonging to a U.S. think tank. Between March and June, the threat actor posed as a well-known journalist to get close to U.S. government officials and members of the Iranian opposition, Mandiant says.
In June 2021, it compromised the email belonging to an Iranian researcher at a U.S. think tank to send spear-phishing emails to a member of an Iranian opposition group located in Europe. The impersonation included asking the intended victim's feedback on an article the researcher had prepared on Iranian nuclear issues.
John Hultquist, a Mandiant vice president of intelligence analysis, tells Information Security Media Group that Iran, like many of its peers, leans on contractors to carry out cyberespionage and other aggressive acts in this space.
"Companies provide rare talent and obscure the relationship between the activity and security services. But calling out the IRGC here is critical to understanding what's at risk. The sponsors of this activity are dangerous and anyone victimized by this group should be wary," Hultquist warns.
Mandiant says that the group has targeted organizations in at least 14 countries, including Australia, the United States and countries in Europe and the Middle East.
So far, the group has over 30 confirmed targeted APT42 operations, but researchers estimate that the number of intrusion operations by the group is much higher based on the group's high operational tempo.
Mobile malware applications deployed by the group are capable of tracking victim locations, recording phone conversations, accessing videos and images and stealing SMS inboxes.
APT42 is also capable of bypassing multifactor authentication and intercepting SMS-based one-time passwords using credential harvesting forms. It likely delivers Android malware via SMS messages, Mandiant says.
The researchers say that the group likely deploys Android malware such as Vinethorn and Pineflower and between July 2020 and March 2021, the group was successfully used Pineflower to compromise several dozen Android devices that likely belonged to individuals residing in Iran.
The malware helped exfiltrate recorded phone calls, room audio recordings, images and entire SMS inboxes from at least 10 compromised devices regularly. Researchers say they observed earlier versions of Pineflower as early as 2015, but the recent spotting was observed between June and August 2022.
Mandiant also found APT42 infrastructure serving as command and control for a Vinethorn payload masquerading as a legitimate VPN application between April and October 2021.
When it manages to successfully log on to a victims' personal or corporate email account, the group registers its own Microsoft Authenticator application as a new multifactor authentication method.
Mandiant says the group further escalates privileges by using custom malware, such as Chairsmack, Dostealer and Ghambar, that are capable of "logging keystrokes and stealing logins and cookie data for common browsers to perform privilege escalation in a victim environment."
The threat group also conducts internal reconnaissance after logging in to the target infrastructure using stolen credentials "by browsing the compromised user's contacts and accessing the targeted organization's collaborative spaces, such as SharePoint," Mandiant says.
Historical Connections to APT35
Mandiant says APT42 corresponds with other activity that organizations have observed. Proofpoint has referred to it as TA453, PricewaterhouseCoopers as Yellow Garuda, and IBM as ITG18.
They are also consistent "with a sub-section of publicly reported threat clusters Phosphorus (Microsoft) and Charming Kitten (ClearSky and CERTFA)."
"Similarity in malicious cyber operations between various Iranian groups and a dynamic institutional ecosystem in Iran contributed to the significant conflation of historical APT42 and APT35 activity," Mandiant says.
The cybersecurity firm assesses with moderate confidence that both groups operate for IRGC but originated from "different missions and contracts or contractors based on substantial differences in their respective targeting patterns and tactics, techniques, and procedures."
APT35 focuses on malware-intensive operations targeting the U.S. and Middle Eastern military and other diplomatic and government personnel and organizations in the media, energy and telecommunications sectors to steal data to help with Iranian military and government objectives. APT42 operations focus on individuals and organizations of interest to the Iranian government for domestic politics, foreign policy and regime stability purposes.