Getty Images / boonchai wedmakawand

Iranian Hacker Group Posed as Journalists to Hunt Dissidents

Group spent weeks trying to fool specific targets with intricate appeals—including U.S campaign staff.

A hacker group likely linked to Iran’s Revolutionary Guard used sophisticated means and elaborate false identities to steal information from government officials, think tankers, and others around the world who might be in contact with Iranian dissidents, according to a new report from cybersecurity company Mandiant.

Dubbed APT42 by Mandiant, the group has been active since 2015, the report said. Its primary tactic is spear-phishing, a common scam whose perpetrators pose as a legitimate entity and attempt to persuade a target to open an email and click a link that allows the group to steal information. What sets this group apart is the lengths to which they go to appear trustworthy. 

A lot of spear-phishing campaigns are laughably crude, promising riches in poorly written emails. Not APT42. One member of the group “posed as a well-known journalist from a U.S. media organization requesting an interview and engaged the initial target for 37 days to gain their trust before finally directing them to a credential harvesting page,” the report said. 

Another member posed as the British newspaper Metro to hit targets “located in Belgium and the United Arab Emirates, [with an] online interview via a customized PDF document containing an embedded link leading to a Gmail credential harvesting page,” the report said.

APT42 has tech chops to match its patience for impersonation. “The group has also deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes,” Mandiant wrote. That enabled them to capture one-time passwords sent to targets’ phones via SMS, bypass two-factor authentication, and steal much more data. 

Besides the UK, the group has targeted people in other European countries, Australia, and the United States.

In 2019 and 2020, the group targeted election campaign staff in the United States—and may do so again.“Given that this actor has been linked to previous election related activity, it's important to watch them closely now, especially in light of Iran’s incredibly brazen cyber operations during the 2020 elections,” John Hultquist, vice president at Mandiant Intelligence, said in a statement. “Unfortunately, Russia is not the only threat to our elections. There are few risks in cyber security that compare with having an organization like the [Islamic Revolutionary Guard Corps] reading your texts and emails, recording your calls, and tracking the location of your phone."