A well-resourced advanced persistent threat (APT) group aligned with Iran's Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and active since 2015 is targeting perceived threats to the Iranian government with sophisticated cybercriminal and surveillance operations, based on social engineering and fraudulent trust relationships.

APT42, believed to be a subset of APT35/Charming Kitten/Phosphorus, uses highly targeted spear-phishing and social-engineering techniques in which they get victims to trust them, according to a blog post and detailed report (PDF) by Mandiant released Wednesday.

The goal is to exploit those relationships to steal personal info and credentials, after which the group then moves deeper into corporate networks, or targets colleagues or family of the victim to steal yet more data and perform other nefarious activities.

APT42 also engages in surveillance by installing Android spyware on mobile devices to keep a constant eye on targets. This is to ensure "regime stability by monitoring, and subsequently even arresting, those they deem to be a threat to the regime," Mandiant researchers told Dark Reading.

Threat actors also sometimes use Windows malware to complement these primary methods of attack, researchers said. Indeed, APT42 is capable of conducting multiple types of operations at any given time, Mandiant researchers told Dark Reading, which is somewhat unique. The group has already been identified as the perpetrator in about 30 known campaigns — a number that Mandiant suspects is a low estimate.

"Not only does APT42 conduct 'traditional' cyber-espionage activity targeting organizations in order to obtain information of strategic relevance to the Iranian government, the group also conducts targeted surveillance operations against individuals," researchers said in an email interview.

In terms of threats to the private sector, "APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest," they told Dark Reading. "They also change their targeting patterns over time as Iranian government priorities change."

Here at home, current and former US government officials and researchers at think tanks and in academia involved in Iran-relevant policy-making or research already have been targets of APT42, and this activity is not likely to cease, researchers said. In fact, the group may even cast a wider net and extended its activities to government contractors working on the same Iran-related issues, researchers told Dark Reading.

3 Stages of Threat Activity

APT42 has three main areas of threat activity. Initial compromise is done via credential harvesting, using targeted spear-phishing campaigns that emphasize developing trust with the victim beforehand. This is done by impersonating journalists or other professionals that a victim might trust or want to connect with.

The group then uses this entry method to collect multifactor authentication (MFA) codes so they can bypass security protections and pursue deeper access to the networks, devices, and the accounts of employers, colleagues, and relatives to steal information that might be relevant to the government.

The second key activity of the group is to conduct surveillance operations through Android mobile malware that tracks locations, monitors communications, and keeps track of the activities of dissidents and other people of interest to the government.

Finally, the group also has in its arsenal a raft of malware, including custom backdoors and other "lightweight" tools that it uses for operations that go beyond credential harvesting, researchers said.

Connections to Other Threat Groups

The state-backed APT has been on the radar screen for security researchers since it commenced operations in 2015. It's tracked via a number of nomenclatures by different companies, including TA453 (Proofpoint), Yellow Garuda (PricewaterhouseCoopers), and ITG18 (IBM).

APT42 also has connections to and is likely a subset of APT35, the prolific group better known as Charming Kitten, but it has a different set of goals, researchers said.

Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the United States and Middle East to steal data to support the Iranian military and government operations. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability, researchers said.

Specific, Agile State-Sponsored Cyber Campaigns

Over the years, researchers have identified specific campaigns linked to APT42 and occasionally attributed to APT35/Charming Kitten/Phosphorus, due to the complexity of tracking the group's numerous operations, and the differences in how threat actors are identified.

A phishing campaign tied to APT42 and dubbed "Operation SpoofedScholars" occurred last year, with the group impersonating scholars with the University of London's School of Oriental and African Studies (SOAS). The operation targeted individuals focused on Middle East affairs in the United States and the United Kingdom to gain access to personal email inboxes.

Earlier this year, APT42 impersonated a legitimate British news organization in a February campaign targeting professors in Belgium and the United Arab Emirates that had ties to local governments or relatives holding dual citizenship in Iran, according to Mandiant. The activity obtained the personal email credentials of its targets, luring them by using a customized PDF document that invited them to an online interview, but instead linking them to a Gmail credential-harvesting page.

In addition to targeting scholars and journalists, APT42 also shows versatility and agility in its operations, researchers said. It was among threat groups that jumped on the bandwagon of targeting researchers in the pharmaceutical sector during the COVID-19 pandemic, with a campaign that occurred in its initial phase in March 2020, according to Mandiant.

"This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran," researchers said.

Who's at Risk?

Iran, like China and Russia, has a raft of threat actors at its service to conduct malicious cyber activity against organizations and individuals that the government has identified are threats. Its current offensive stance and rising cyber conflict with the United States is due to the unique position in geopolitics that the country currently occupies, Mandiant researchers told Dark Reading.

"The combination of regional tensions, the nuclear deal's negotiations, and domestic unrest about economic and social issues create an environment in which a group such as APT42 thrives," researchers said.

The group’s ability to pivot depending on the intentions of the government will continue to pose an immediate threat to both individuals and organizations globally, with global events and local politics continuing to drive operations and targeting priorities, Mandiant researchers said.