Security News > 2022 > September > Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents
A state-sponsored advanced persistent threat actor newly christened APT42 has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015.
APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, indicating the threat actor's ability to swiftly modify its campaigns in order to meet its operational priorities.
Outside of using hacked email accounts associated with think tanks to target researchers and other academic organizations, APT42 is often known to impersonate journalists and other professionals to engage with the victims for several days or even weeks before sending a malicious link.
In one attack observed in May 2017, the group targeted members of an Iranian opposition group operating from Europe and North America with email messages that contained links to rogue Google Books pages, which redirected victims to sign-in pages designed to siphon credentials and two-factor authentication codes.
A VINETHORN payload spotted between April and October 2021 masqueraded as a VPN app called SaferVPN. "The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information," the researchers noted.
APT42's links to APT35 stems from links to an uncategorized threat cluster tracked as UNC2448, which Microsoft and Secureworks disclosed as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker.
News URL
https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html