Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

New Report Exposes Iranian Hacking Group's Media Masquerade

Mandiant Says APT42 Members Have Been Posing as Journalists to Steal Troves of Data
New Report Exposes Iranian Hacking Group's Media Masquerade
Iranian hackers posed as journalists from well-known outlets including The Washington Post. (Image: Shutterstock)

Members of an Iranian state hacking group have been observed posing as journalists and event organizers from The Washington Post, The Economist and other major news outlets as part of an effort to harvest credentials and hack into global cloud networks.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Mandiant on Wednesday published a report on APT42, an Iranian threat actor that uses "enhanced social engineering schemes to gain access to victim networks, including cloud environments."

The hacking group recently exfiltrated data "of strategic interest to Iran" while using open-source tools and built-in network features to avoid detection, according to the report. Mandiant said the hackers have also started engaging in malware-based operations through two custom backdoors dubbed NiceCurl and TameCat, which allow the group to deploy additional malware across victim networks.

The hackers masqueraded as journalists from credible news outlets in spear-phishing campaigns that involved sending malicious links to fake Google login pages and then collecting troves of credentials from targets in the policy and government sectors, as well as journalists and media organizations, the report said.

APT42 also targeted researchers, NGO leaders and human rights activists perceived as threats to the Iranian government with "invitations to conferences or legitimate documents hosted on cloud infrastructure."

Mandiant suggested the extent of APT42's impact across sectors could be much wider than what is currently known "since the initial enabler of these operations lies with credential harvesting, which APT42 conducts worldwide." The Google-owned threat intelligence firm said APT42's techniques have allowed the group to covertly access and compromise Microsoft 365 environments, at times impersonating high-ranking personnel working at well-known organizations such as the Aspen Institute.

The hackers occasionally searched for specific files and data relating to Iranian foreign affairs issues as well as Middle East issues and Russia's war in Ukraine. The group used simple techniques to evade detection, such as clearing Google Chrome browser histories and using anonymized infrastructure such as ExpressVPN nodes and Cloudflare-hosted domains to interact with the victim's environment.

In at least one instance, Mandiant said, the group established a "persistent" login mechanism by leveraging Microsoft's app password feature, likely avoiding having to re-verify their identity with multifactor authentication.

Mandiant said APT42 is "a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest."

In April, the U.S. federal government unsealed a multi-count criminal indictment against four alleged Iranian state hackers, announced sanctions against the group and offered a reward of up to $10 million for their capture (see: US Pressures Iran Over Phishing Campaign Against Feds).

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.