Iranian APT42 Group Launch A Massive Phishing Campaign To Attack U.S. Presidential Election

APT42 is an APT group that is believed to be backed by the Iranian government, and this group primarily focuses on cyber espionage.

Besides this, APT42 is also well-known for other illicit activities. Apart from cyber espionage, they also conduct phishing campaigns, and data exfiltration against a wide range of entities.

However, specifically, they target entities that are linked with military and strategic interests.

Recently, cybersecurity experts at Google’s Threat Analysis Group (TAG) identified that APT42 launched a massive phishing campaign to attack the US presidential election.

Iranian APT42 Group

APT42 is associated with the Iranian Revolutionary Guard Corps and has enhanced its hacking activities targeted at prominent personalities in Israel and the US.

These high-profile targets represented 60% of all the geographical regions the group hacked into within this period.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Their victims span a wide range, including current and former government officials, political campaign staff, diplomats, think tank researchers, academics, and NGO workers involved in foreign policy discussions. 

In April 2024, the group made Israeli targets even more of an interest for them, especially those related to military or defense sectors.

APT42 employs diverse types of advanced phishing techniques through the abuse of cloud services such as Google Sites, Drive, Gmail, Dropbox, and OneDrive for hosting their malware, phishing pages, and malicious redirects.

Their methods include creating fake petitions (such as one purportedly from the Jewish Agency for Israel), impersonating legitimate organizations like the Washington Institute for Near East Policy, and using typosquat domains like “understandingthewar[.]org” to mimic the Institute for the Study of War. 

The success of the group in credential phishing has been attained through their persistence and heavy use of social engineering.

Google, in response, implemented different countermeasures such as resetting the compromised accounts, warning targeted users, disrupting malicious Google Sites pages, and adding harmful domains to the Safe Browsing blocklist.

Despite attempts by Google, APT42 is rapidly adapting its strategies demonstrating its agility in aligning with Iran’s changing political and military goals, and is a continued danger to well-known targets in the region.

APT42 tried to hack into accounts affiliated with the two biggest political party campaigns in America during the years 2020 and beyond.

The group also goes for highly developed tricks like individualized harvesting tools for credentials (GCollection, LCollection, YCollection) and manipulation of victims on social media.

To make their phishing pages credible, they abuse services like Google Sites, OneDrive, and Dropbox, often tailoring their approach based on extensive reconnaissance of their targets’ security settings and geographic locations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces