Tuesday, January 14, 2025
HomeCyber AttackIranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential...

Iranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential Election

Published on

APT42 is an APT group that is believed to be backed by the Iranian government, and this group primarily focuses on cyber espionage.

Besides this, APT42 is also well-known for other illicit activities. Apart from cyber espionage, they also conduct phishing campaigns, and data exfiltration against a wide range of entities.

However, specifically, they target entities that are linked with military and strategic interests.

Recently, cybersecurity experts at Google’s Threat Analysis Group (TAG) identified that APT42 launched a massive phishing campaign to attack the US presidential election.

Iranian APT42 Group

APT42 is associated with the Iranian Revolutionary Guard Corps and has enhanced its hacking activities targeted at prominent personalities in Israel and the US.

These high-profile targets represented 60% of all the geographical regions the group hacked into within this period.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Their victims span a wide range, including current and former government officials, political campaign staff, diplomats, think tank researchers, academics, and NGO workers involved in foreign policy discussions. 

In April 2024, the group made Israeli targets even more of an interest for them, especially those related to military or defense sectors.

APT42 employs diverse types of advanced phishing techniques through the abuse of cloud services such as Google Sites, Drive, Gmail, Dropbox, and OneDrive for hosting their malware, phishing pages, and malicious redirects.

Their methods include creating fake petitions (such as one purportedly from the Jewish Agency for Israel), impersonating legitimate organizations like the Washington Institute for Near East Policy, and using typosquat domains like “understandingthewar[.]org” to mimic the Institute for the Study of War. 

Government-backed attacker warning (Source – TAG)

The success of the group in credential phishing has been attained through their persistence and heavy use of social engineering.

Google, in response, implemented different countermeasures such as resetting the compromised accounts, warning targeted users, disrupting malicious Google Sites pages, and adding harmful domains to the Safe Browsing blocklist.

Despite attempts by Google, APT42 is rapidly adapting its strategies demonstrating its agility in aligning with Iran’s changing political and military goals, and is a continued danger to well-known targets in the region.

APT42 tried to hack into accounts affiliated with the two biggest political party campaigns in America during the years 2020 and beyond.

The group also goes for highly developed tricks like individualized harvesting tools for credentials (GCollection, LCollection, YCollection) and manipulation of victims on social media.

To make their phishing pages credible, they abuse services like Google Sites, OneDrive, and Dropbox, often tailoring their approach based on extensive reconnaissance of their targets’ security settings and geographic locations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hackers Using YouTube Links and Microsoft 365 Themes to Steal Logins

Cybercriminals are executing sophisticated phishing attacks targeting Microsoft 365 users by employing deceptive URLs...

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake...