Tuesday, September 17, 2024
HomeCyber AttackIranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential...

Iranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential Election

Published on

APT42 is an APT group that is believed to be backed by the Iranian government, and this group primarily focuses on cyber espionage.

Besides this, APT42 is also well-known for other illicit activities. Apart from cyber espionage, they also conduct phishing campaigns, and data exfiltration against a wide range of entities.

However, specifically, they target entities that are linked with military and strategic interests.

- Advertisement - EHA

Recently, cybersecurity experts at Google’s Threat Analysis Group (TAG) identified that APT42 launched a massive phishing campaign to attack the US presidential election.

Iranian APT42 Group

APT42 is associated with the Iranian Revolutionary Guard Corps and has enhanced its hacking activities targeted at prominent personalities in Israel and the US.

These high-profile targets represented 60% of all the geographical regions the group hacked into within this period.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Their victims span a wide range, including current and former government officials, political campaign staff, diplomats, think tank researchers, academics, and NGO workers involved in foreign policy discussions. 

In April 2024, the group made Israeli targets even more of an interest for them, especially those related to military or defense sectors.

APT42 employs diverse types of advanced phishing techniques through the abuse of cloud services such as Google Sites, Drive, Gmail, Dropbox, and OneDrive for hosting their malware, phishing pages, and malicious redirects.

Their methods include creating fake petitions (such as one purportedly from the Jewish Agency for Israel), impersonating legitimate organizations like the Washington Institute for Near East Policy, and using typosquat domains like “understandingthewar[.]org” to mimic the Institute for the Study of War. 

Government-backed attacker warning (Source – TAG)

The success of the group in credential phishing has been attained through their persistence and heavy use of social engineering.

Google, in response, implemented different countermeasures such as resetting the compromised accounts, warning targeted users, disrupting malicious Google Sites pages, and adding harmful domains to the Safe Browsing blocklist.

Despite attempts by Google, APT42 is rapidly adapting its strategies demonstrating its agility in aligning with Iran’s changing political and military goals, and is a continued danger to well-known targets in the region.

APT42 tried to hack into accounts affiliated with the two biggest political party campaigns in America during the years 2020 and beyond.

The group also goes for highly developed tricks like individualized harvesting tools for credentials (GCollection, LCollection, YCollection) and manipulation of victims on social media.

To make their phishing pages credible, they abuse services like Google Sites, OneDrive, and Dropbox, often tailoring their approach based on extensive reconnaissance of their targets’ security settings and geographic locations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Key Russian Hacker Group Attacking Users With .NET Built Ransomware

The Russian ransomware group Key Group, active since early 2023, is targeting organizations globally,...

Chinese Hackers Charged for Multi-Year Spear-Phishing Attacks

Song Wu, a Chinese national, has been indicted on charges of wire fraud and...

Entro Security Labs Releases Non-Human Identities Research Security Advisory

Analysis of millions of real-world NHI secrets by Entro Security Labs reveals widespread, significant...

Critical Vulnerabilities Impact Million of D-Link Routers, Patch Now!

Millions of D-Link routers are at risk due to several critical vulnerabilities. Security researcher...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Medusa Ransomware Exploiting Fortinet Flaw For Sophisticated Ransomware Attacks

Medusa, a relatively new ransomware group, has gained notoriety for its dual-pronged online presence....

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

New Developer-As-A-Service In Hacking Forums Empowering Phishing And Cyberattacks

SCATTERED SPIDER, a ransomware group, leverages cloud infrastructure and social engineering to target insurance...