Saturday, December 28, 2024
HomeCyber AttackIranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential...

Iranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential Election

Published on

SIEM as a Service

APT42 is an APT group that is believed to be backed by the Iranian government, and this group primarily focuses on cyber espionage.

Besides this, APT42 is also well-known for other illicit activities. Apart from cyber espionage, they also conduct phishing campaigns, and data exfiltration against a wide range of entities.

However, specifically, they target entities that are linked with military and strategic interests.

- Advertisement - SIEM as a Service

Recently, cybersecurity experts at Google’s Threat Analysis Group (TAG) identified that APT42 launched a massive phishing campaign to attack the US presidential election.

Iranian APT42 Group

APT42 is associated with the Iranian Revolutionary Guard Corps and has enhanced its hacking activities targeted at prominent personalities in Israel and the US.

These high-profile targets represented 60% of all the geographical regions the group hacked into within this period.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Their victims span a wide range, including current and former government officials, political campaign staff, diplomats, think tank researchers, academics, and NGO workers involved in foreign policy discussions. 

In April 2024, the group made Israeli targets even more of an interest for them, especially those related to military or defense sectors.

APT42 employs diverse types of advanced phishing techniques through the abuse of cloud services such as Google Sites, Drive, Gmail, Dropbox, and OneDrive for hosting their malware, phishing pages, and malicious redirects.

Their methods include creating fake petitions (such as one purportedly from the Jewish Agency for Israel), impersonating legitimate organizations like the Washington Institute for Near East Policy, and using typosquat domains like “understandingthewar[.]org” to mimic the Institute for the Study of War. 

Government-backed attacker warning (Source – TAG)

The success of the group in credential phishing has been attained through their persistence and heavy use of social engineering.

Google, in response, implemented different countermeasures such as resetting the compromised accounts, warning targeted users, disrupting malicious Google Sites pages, and adding harmful domains to the Safe Browsing blocklist.

Despite attempts by Google, APT42 is rapidly adapting its strategies demonstrating its agility in aligning with Iran’s changing political and military goals, and is a continued danger to well-known targets in the region.

APT42 tried to hack into accounts affiliated with the two biggest political party campaigns in America during the years 2020 and beyond.

The group also goes for highly developed tricks like individualized harvesting tools for credentials (GCollection, LCollection, YCollection) and manipulation of victims on social media.

To make their phishing pages credible, they abuse services like Google Sites, OneDrive, and Dropbox, often tailoring their approach based on extensive reconnaissance of their targets’ security settings and geographic locations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...