A highly resourceful Iranian state-backed hacker group is using malicious links to VPN apps sent via text messages to inject spyware, a cybersecurity company reports.
Mandiant found evidence that APT42 (Advanced Sustained Threat) has been carrying out such attacks since 2015 on what they describe as “the enemies of the Iranian state” with the aim of collecting sensitive data and spying on victims.
They also claim with “moderate confidence” that the group is aligned with the intelligence agency of the Islamic Revolutionary Guard Corps (IRGC-IO), which Washington designates as a terrorist organization.
However, this malware isn’t just spread behind the reputation of some of the best VPN services. Well-crafted phishing emails, naughty web pages to free messaging apps and adult sites have also been used.
Mobile malware poses worrisome real-world risks
As Mandiant reports (opens in new tab)“Using Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive target information, including movements, contacts, and personal information.
The group’s proven ability to record phone calls, activate the microphone and record the audio, exfiltrate images and take photos on command, read text messages, and track the victim’s GPS location in real time. follow poses a real risk to individual victims of this campaign.”
Researchers have so far observed more than 30 confirmed operations in 14 countries around the world, spanning seven years of activity. However, they think the total number is much greater than that.
Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, dissidents and the Iranian diaspora abroad have all been among the victims of such attacks.
Mandiant today releases details about Iranian actor APT42. They are campaigning against the enemies of the Iranian state. We believe they are linked to the IRGC. This is completely unrelated to the Albanian shenanigans. 1/x https://t.co/d4gyQQc88eSeptember 7, 2022
Data Collection and Monitoring Activities
APT42’s campaigns have two main goals: collect sensitive data from targets such as personal email credentials, multi-factor authentication codes, and private communications data, while tracking victims’ location data to identify important surveillance operations.
The group’s cunning playbook wins the trust of targets and engages in a conversation that can last several weeks before the phishing email is finally sent. For example, hackers pretended to be journalists working for a famous American media outlet for 37 days before launching the attack.
In the case of mobile malware, APT42 successfully targeted Internet users looking for circumvention tools to circumvent strict government restrictions. And with over 80% of Iranians using such software to escape online censorship, the security of civilians never seems to be at stake.
The Mandiant report went on to point out how the group — also presumably linked to the infamous APT35 that managed to infiltrate the Play Store with fake VPN apps last year — has managed to quickly shape its strategies and goals to take off. vote for Iran’s domestic and geopolitical interests.
“We assess with great confidence that APT42 will continue to conduct cyber espionage and surveillance operations in line with evolving Iranian requirements for operational intelligence gathering.”