Skip to content Skip to sidebar Skip to footer

Researchers Identify Likely Iranian State-Sponsored Cyberespionage Group

Researchers Identify Likely Iranian State-Sponsored Cyberespionage Group

What’s happening

Researchers for the cybersecurity commerce Mandiant have identified what they say is likely an Iranian state-sponsored cyberespionage group.

Why it matters

The business has targeted opponents of the Iranian regime including think tanks, researchers, current and former government officials, journalists and members of the Iranian diaspora.

What’s next

Mandiant says that given the group’s past involvement in espionage related to Iranian elections, US officials need to be on guard heading into this year’s US midterm elections.

Cybersecurity researchers say they’ve identified what’s probable an Iranian state-sponsored hacking group that’s targeting  opponents of that country’s regime comprising Western think tanks, researchers, journalists, government officials and members of the Iranian diaspora.

In a picture released Wednesday, researchers for the cybersecurity firm Mandiant say the advanced persistent danger group, which they refer to as “APT42,” has conducted put a question to gathering and surveillance operations going back to at least 2015. At least 30 of these operations have been confirmed, though the researchers say the actual total is probable much higher. 

The researchers say they have “high confidence” that APT42 is an Iranian state-sponsored cyberespionage business tasked with spying on people and groups of stupid to the Iranian government. They also say that based on APT42’s targeting patterns, it’s likely that the group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization.

John Hultquist, Mandiant’s vice president of intelligence, says that while Iran often stabilities out its cyberespionage activities, giving it access to better talent and decision-exclusive it tough to directly connect the espionage back to the government, calling out the Revolutionary Guard for these activities is “critical to conception what’s at risk.” 

“The sponsors of this activity are dangerous and anyone victimized by this business should be wary,” Hultquist said in a statement.

Given that APT42 has been linked to malicious agency leading up to Iranian elections, Hultquist added, it’s important to keep an eye on the business now, especially given Iran’s “incredibly brazen” cyberactivities during the 2020 US high-level election.

“Unfortunately, Russia is not the only threat to our elections,” Hultquist said. “There are few risks in cybersecurity that compare with having an power like the [Revolutionary Guard] reading your texts and emails, recording your calls and tracking the location of your phone.”

According to the researchers, APT42 uses highly targeted spear-phishing and social engineering techniques to gain access to their targets’ personal or work email coffers, or to install Android malware on their mobile devices. The group also occasionally uses Windows malware as part of its credential harvesting and surveillance exertions, the researchers say.

Specifically, the group will attempt to “build pleasant and rapport with their target,” the researchers say, by challenging the target in harmless conversation for days or weeks afore sending them a malicious link and trying to pick their email credentials. It’s also been successful in collecting multifactor authentication codes to bypass those protections and has used stolen credentials to access the networks, devices and accounts of employers, colleagues and relatives of the initial target.

For example, the researchers say, APT42 in 2017 targeted the front-runners of an Iranian opposition group by sending its members emails that appeared to be from Google and that devised links to fake Google Books pages. Targets were then beleaguered to sign-in websites designed to steal their Google logins and multifactor authentication codes.

Two screenshots of spoofed Google login and authentication pages

On the left, a spoofed Google login site personalized for one of APT42’s targets. On the right, a spoofed site designed to mild the target’s multifactor authentication code. 


At the same time, APT42 also used Android mobile malware to track locations, monitor communications and generally surveil the activities of persons of interest to the Iranian government, including activists and dissidents inside Iran, the researchers say.

While APT42’s operations depart similar in some ways to previously spotted Iranian online spying groups, the researchers say that what makes it different is its focus on the personal coffers and mobile devices of individual people and groups deemed enemies of the regime, rather than on military targets or large caches of sensitive data.

Mandiant says the people still poses a danger to foreign policy officials, commentators and journalists, particularly those in the US, UK and Israel acting on Iran-related projects. Meanwhile, group’s spying operations show the real-world risk to persons people like Iranian dual-nationals, former government officials and dissidents both within and outside of Iran, the researchers say.