APT42 group targets critical entities in the Middle East

Iranian threat actors known as the APT42 group were recently spotted deploying social engineering tactics and credential phishing campaigns against countries from the Middle East. Based on reports, this campaign is currently targeting researchers, diplomats, journalists, academics, politicians, and human rights activists that work in the Middle East.

According to an investigation by a non-governmental organisation, the group has deployed a broader campaign that uses a fake URL shortener that could impersonate a legitimate URL shortener called cut[.]ly.

Researchers have seen this phishing link distributed by the actors through WhatsApp. Suppose a target clicks the link; it will redirect them to a fake login page that spoofs the Yahoo, Google, or Microsoft login pages.

Once the victims input their information on the phishing webpage, the threat actor’s phishing tools will easily access their email accounts and steal troves of data, including account credentials.

 

The APT42 group have targeted important and well-known entities within the human rights landscape.

 

The cybercriminal campaign orchestrated by the APT42 group compromised emails and other critical data owned by a major United States newspaper company. In addition, a Lebanon-based advocacy consultant for Refugees International was also targeted by the group.

Researchers also discovered nearly 20 high-profile individuals and Human Rights Watch employees (including six journalists) as targets of this cybercriminal activity.

Most targeted individuals confirmed that they received an identical compromised WhatsApp message between September and November. Furthermore, the sender of the messages has the same number that contacted each target.

Unfortunately, the threat actors obtained access to unfortunate targets baited by the attack. Hence, the attackers compromised their emails, cloud storage devices, contacts, and calendars.

Furthermore, the threat actors synchronised the infected mailbox and exploited the Google Takeout service to export data related to payments, travel, web searchers and location. The victims were also unaware of the Gmail account compromise and a Google Takeout initiation since they did not receive any security notifications from Google due to the immediate compromise.

Numerous reports from different companies show that the APT42 targets Middle East-based researchers, civil society groups, and insurgents for domestic politics, regime stability, and foreign policy purposes.