An Iranian state-sponsored group in operation since 2015 relies on highly targeted social engineering attack individuals and organizations that Tehran deems enemies of the regime, says a new report from cyberthreat intelligence firm Mandiant.
Targets of the threat actor Mandiant newly dubs APT42 include members of the Iranian diaspora as well as Western think tanks, academics and media organizations. The threat actor operates on behalf of the Islamic Revolutionary Guard Corps’ Intelligence Organization and appears to be trusted to quickly react to geopolitical changes and adjust to new targets of operational interest.
Mandiant says that the group’s objective is twofold: It seeks to steal personal and corporate email account credentials and use them to steal personal or business documents and research pertinent to Iran.
The second objective is to track “the locations, monitor phone and email communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.”
The group builds rapport with its targets and engages in benign conversation for multiple days before sending a malicious link. APT42 operatives use compromised email accounts to impersonate trusted individuals. In spring of 2021, it used a compromised email account belonging to a U.S. think tank.
Between March and June, the threat actor posed as a well-known journalist to get close to U.S. government officials and members of the Iranian opposition, Mandiant says.
