APT42 – Iranian Cyber Espionage Group

Opposition to the Iranian regime.

Foreign policy impacting Iran.

Research related to Iran's nuclear program or regional conflicts.

Dissident movements within and outside Iran.

TA453 (Proofpoint)

Yellow Garuda (PwC)

ITG18 (IBM X-Force)

Phosphorus (Microsoft)

Charming Kitten (ClearSky and CERTFA)

Mint Sandstorm

Reconnaissance: APT42 conducts extensive open-source research to identify potential targets and gather information about them. This includes using social media, professional networking sites, and publicly available information to understand a target's role, affiliations, and vulnerabilities.

Initial Access (Highly Targeted Spear Phishing): APT42's primary method of gaining initial access is through highly targeted spear-phishing campaigns. These are not generic phishing attempts; they are meticulously crafted to build trust and rapport with the victim. Common tactics include:

Credential Harvesting: Once a victim clicks a malicious link, they are often redirected to fake login pages that mimic legitimate services like Google, Yahoo, Microsoft, or other cloud providers. APT42 demonstrates a deep understanding of the security settings of the email providers they target. APT42 utilizes several sophisticated credential harvesting tools, including:

Multi-Factor Authentication (MFA) Bypass: APT42 actively attempts to bypass or capture MFA codes. They have been observed attempting to collect MFA codes, using Device Prompts as accepted factors, and, in some cases, redirecting victims to cloned websites designed to capture MFA tokens (although this has not always been successful).

Persistence & Post-Compromise Activity: After gaining access to an account, APT42 takes steps to maintain persistent access. This can include:

Lateral Movement: Using compromised credentials, APT42 attempts to access other accounts and systems belonging to the victim, their colleagues, or their organization. This allows them to expand their access and gather more intelligence.

Surveillance (Mobile Malware): In some cases, particularly when targeting individuals inside Iran, APT42 deploys custom Android malware. This malware has extensive surveillance capabilities, including:

Windows Malware: Used to complement credential harvesting and surveillance, but less frequently than spear-phishing.

Custom Backdoors & Lightweight Tools: Deployed when objectives extend beyond simple credential harvesting. This suggests a modular approach to their attacks. Examples include:

Living off the Land: APT42 often uses built-in Windows features and publicly available tools (LOLBins) to avoid detection.

Recently Exploited Vulnerabilities: CVE-2023-38831

Government Officials: Current and former government officials, particularly those involved in foreign policy, defense, or national security.

Journalists and Media Organizations: Journalists covering Iran, the Middle East, or related geopolitical issues. APT42 frequently impersonates journalists to build trust with their targets.

Academics and Researchers: Academics and researchers specializing in Iran, the Middle East, nuclear proliferation, or other topics of strategic interest to Iran.

Think Tanks: Western think tanks and research institutions focusing on Middle East policy.

Human Rights Activists and Dissidents: Individuals and organizations involved in human rights advocacy or opposition to the Iranian regime, both inside and outside Iran.

Iranian Diaspora: Members of the Iranian diaspora, particularly those who are politically active or maintain connections to Iran.

Legal Services and NGOs: Organizations providing legal services or humanitarian aid related to Iran.

Nuclear Security Experts:

Targeted Countries: USA, Canada, United Kingdom, Germany, France, Middle East, Australia

Compromise of personal accounts and sensitive data.

Surveillance and monitoring of communications.

Potential physical danger, particularly for activists and dissidents inside Iran.

Theft of intellectual property and confidential information.

Compromise of sensitive communications.

Damage to reputation and trust.

Potential disruption of operations.

Targeting of Pharmaceutical Companies (2020): At the start of the COVID-19 pandemic, APT42 shifted its focus to target pharmaceutical companies and researchers involved in vaccine development.

Surveillance of Dissidents and Activists (Ongoing): APT42 consistently targets activists, dissidents, and members of the Iranian diaspora, using mobile malware for surveillance.

Credential Harvesting Campaigns Targeting Journalists and Researchers (2021-Present): APT42 has conducted ongoing campaigns impersonating journalists and researchers from prominent news outlets and think tanks to harvest credentials and gain access to cloud infrastructure.

Targeting of U.S. and Israeli Medical Professionals (2021): Proofpoint's TA453 (overlapping with APT42) targeted senior medical professionals in the U.S. and Israel.

Operations to Interfere with US Elections: Misinformation campaigns, targeted attacks against politicians, credential stealing, and malware deployment.

Security Awareness Training: Educate users about the risks of spear phishing and social engineering. Train them to be highly suspicious of unsolicited emails, particularly those requesting personal information or containing links or attachments. Emphasize verifying the sender's identity and the legitimacy of any requests.

Strong Password Policies and Multi-Factor Authentication (MFA): Enforce strong, unique passwords for all accounts. Implement and strictly enforce MFA for all critical systems and accounts, particularly email and cloud services. While APT42 attempts to bypass MFA, it remains a crucial layer of defense. It's also crucial to understand what is authentication bypass vulnerability and how to prevent it.

Email Security Gateways: Deploy email security gateways that can detect and block phishing emails, malicious attachments, and known phishing URLs.

Endpoint Detection and Response (EDR): Use EDR solutions to monitor endpoint activity for suspicious behavior, such as unusual process execution, file modifications, or network connections. Security logging and monitoring can enhance EDR effectiveness.

Network Segmentation: Segment networks to limit the impact of a successful breach. This can prevent attackers from moving laterally across the network.

Vulnerability Management: Regularly scan for and patch vulnerabilities in software and operating systems. Consider a robust vulnerability assessments strategy.

Mobile Device Security: For organizations with employees at high risk of targeting (e.g., journalists, activists), implement mobile device management (MDM) solutions and security policies to protect against mobile malware.

Threat Intelligence: Leverage threat intelligence feeds to stay informed about the latest TTPs used by APT42 and other Iranian threat actors.

Incident Response Plan: Develop and regularly test an incident response plan to ensure that the organization can quickly and effectively respond to a cyberattack. A well-defined cyber incident response plan is crucial.

Google’s Advanced Protection Program: This program revokes and disables application-specific passwords in Gmail, protecting users from one of APT42's persistence tactics.

Monitor for LOLBin Abuse: Monitor for unusual or excessive use of legitimate Windows tools (LOLBins) that could indicate malicious activity. Understanding the Windows registry structure can also aid in detecting malicious activity.

SOAR: Organizations can use SOAR platforms to automate threat detection and incident response.