Iranian Hacker Group Posed as Journalists to Hunt Dissidents
Group spent weeks trying to fool specific targets with intricate appeals—including U.S campaign staff.
Hello
My name is Farnaz Fasihi. I am a journalist at the Wall Street Journal newspaper.
The Middle East team of the WSJ intends to introduce successful non-local individuals in developed countries. Your activities in the fields of research and philosophy of science led me to introduce you as a successful Iranian. The director of the Middle East team asked us to set up an interview with you and share some of your important achievements with our audience. This interview could motivate the youth of our beloved country to discover their talents and move toward success.
Needless to say, this interview is a great honor for me personally, and I urge you to accept my invitation for the interview.
The questions are designed professionally by a group of my colleagues and the resulting interview will be published in the Weekly Interview section of the WSJ. I will send you the questions and requirements of the interview as soon as you accept.
*Footnote: Non-local refers to people who were born in other countries.
Thank you for your kindness and attention.
Farnaz Fasihi
A hacker group likely linked to Iran’s Revolutionary Guard used sophisticated means and elaborate false identities to steal information from government officials, think tankers, and others around the world who might be in contact with Iranian dissidents, according to a new report from cybersecurity company Mandiant.
Dubbed APT42 by Mandiant, the group has been active since 2015, the report said. Its primary tactic is spear-phishing, a common scam whose perpetrators pose as a legitimate entity and attempt to persuade a target to open an email and click a link that allows the group to steal information. What sets this group apart is the lengths to which they go to appear trustworthy.
A lot of spear-phishing campaigns are laughably crude, promising riches in poorly written emails. Not APT42. One member of the group “posed as a well-known journalist from a U.S. media organization requesting an interview and engaged the initial target for 37 days to gain their trust before finally directing them to a credential harvesting page,” the report said.
Another member posed as the British newspaper Metro to hit targets “located in Belgium and the United Arab Emirates, [with an] online interview via a customized PDF document containing an embedded link leading to a Gmail credential harvesting page,” the report said.
APT42 has tech chops to match its patience for impersonation. “The group has also deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes,” Mandiant wrote. That enabled them to capture one-time passwords sent to targets’ phones via SMS, bypass two-factor authentication, and steal much more data.
Besides the UK, the group has targeted people in other European countries, Australia, and the United States.
In 2019 and 2020, the group targeted election campaign staff in the United States—and may do so again.“Given that this actor has been linked to previous election related activity, it's important to watch them closely now, especially in light of Iran’s incredibly brazen cyber operations during the 2020 elections,” John Hultquist, vice president at Mandiant Intelligence, said in a statement. “Unfortunately, Russia is not the only threat to our elections. There are few risks in cyber security that compare with having an organization like the [Islamic Revolutionary Guard Corps] reading your texts and emails, recording your calls, and tracking the location of your phone."
1 comment:
Are they friends of the Nigerian prince?
Post a Comment