X

Researchers Identify Likely Iranian State-Sponsored Cyberespionage Group

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
3 min read
The Iranian flag with an overlay of computer code.

Mandiant researchers say individuals and groups are being targeted by an Iranian state-sponsored cyberespionage group.

Getty

What's happening

Researchers for the cybersecurity company Mandiant have identified what they say is likely an Iranian state-sponsored cyberespionage group.

Why it matters

The group has targeted opponents of the Iranian regime including think tanks, researchers, current and former government officials, journalists and members of the Iranian diaspora.

What's next

Mandiant says that given the group's past involvement in espionage related to Iranian elections, US officials need to be on guard heading into this year's US midterm elections.

Cybersecurity researchers say they've identified what's likely an Iranian state-sponsored hacking group that's targeting  opponents of that country's regime including Western think tanks, researchers, journalists, government officials and members of the Iranian diaspora.

In a report released Wednesday, researchers for the cybersecurity firm Mandiant say the advanced persistent threat group, which they refer to as "APT42," has conducted information gathering and surveillance operations going back to at least 2015. At least 30 of these operations have been confirmed, though the researchers say the actual total is likely much higher. 

The researchers say they have "high confidence" that APT42 is an Iranian state-sponsored cyberespionage group tasked with spying on people and groups of interest to the Iranian government. They also say that based on APT42's targeting patterns, it's likely that the group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization.

John Hultquist, Mandiant's vice president of intelligence, says that while Iran often contracts out its cyberespionage activities, giving it access to better talent and making it tough to directly connect the espionage back to the government, calling out the Revolutionary Guard for these activities is "critical to understanding what's at risk." 

"The sponsors of this activity are dangerous and anyone victimized by this group should be wary," Hultquist said in a statement.

Given that APT42 has been linked to malicious activity leading up to Iranian elections, Hultquist added, it's important to keep an eye on the group now, especially given Iran's "incredibly brazen" cyberactivities during the 2020 US presidential election.

"Unfortunately, Russia is not the only threat to our elections," Hultquist said. "There are few risks in cybersecurity that compare with having an organization like the [Revolutionary Guard] reading your texts and emails, recording your calls and tracking the location of your phone."

According to the researchers, APT42 uses highly targeted spear-phishing and social engineering techniques to gain access to their targets' personal or work email accounts, or to install Android malware on their mobile devices. The group also occasionally uses Windows malware as part of its credential harvesting and surveillance efforts, the researchers say.

Specifically, the group will attempt to "build trust and rapport with their target," the researchers say, by engaging the target in harmless conversation for days or weeks before sending them a malicious link and trying to steal their email credentials. It's also been successful in collecting multifactor authentication codes to bypass those protections and has used stolen credentials to access the networks, devices and accounts of employers, colleagues and relatives of the initial target.

For example, the researchers say, APT42 in 2017 targeted the leaders of an Iranian opposition group by sending its members emails that appeared to be from Google and that contained links to fake Google Books pages. Targets were then directed to sign-in websites designed to steal their Google logins and multifactor authentication codes.

Two screenshots of spoofed Google login and authentication pages

On the left, a spoofed Google login site personalized for one of APT42's targets. On the right, a spoofed site designed to collect the target's multifactor authentication code. 

Mandiant

At the same time, APT42 also used Android mobile malware to track locations, monitor communications and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran, the researchers say.

While APT42's operations appear similar in some ways to previously spotted Iranian online spying groups, the researchers say that what makes it different is its focus on the personal accounts and mobile devices of individual people and groups deemed enemies of the regime, rather than on military targets or large caches of sensitive data.

Mandiant says the group still poses a danger to foreign policy officials, commentators and journalists, particularly those in the US, UK and Israel working on Iran-related projects. Meanwhile, group's spying operations show the real-world risk to individual people like Iranian dual-nationals, former government officials and dissidents both within and outside of Iran, the researchers say.