Iran-backed hackers stage phishing campaign against activists, journalists: HRW

Iran-backed hackers stage phishing campaign against activists, journalists: HRW
Iran has long engaged in phishing attempts as part of its cyberwarfare strategy. (File/AFP)
Short Url
Updated 05 December 2022
Follow

Iran-backed hackers stage phishing campaign against activists, journalists: HRW

Iran-backed hackers stage phishing campaign against activists, journalists: HRW
  • Espionage group linked to IRGC gains access to emails of 3 victims

LONDON: Iran-backed hackers have staged a targeted campaign against more than a dozen high-profile human rights activists, journalists, academics and government officials, Human Rights Watch said.

The organization found that a coordinated phishing attack had been launched by an Iran-linked hacking entity known as APT42, believed to be a cyberespionage group.

The HRW report said that two of its employees were targeted, alongside 18 other people, resulting in the hacking of emails belonging to three individuals.

APT42 gained access to the emails, cloud storage, calendars and contacts of a US newspaper correspondent based in the Middle East, a Gulf-based women’s rights activist as well as a refugee advocate in Lebanon.

HRW said that the phishing attack was launched via WhatsApp, with 15 of the targets receiving suspicious messages between September and November this year.

The message, disguised as a conference invitation, allowed APT42 to gain access to the Google accounts of the three victims after they were invited to enter their two-factor authentication details on false pretenses.

Iran has long engaged in phishing attempts as part of its cyberwarfare strategy.

Since 2010, hackers and espionage groups linked to the regime in Tehran have successfully hacked and leaked the data of government, military and business targets around the world.

In September, APT42 members were sanctioned by the US Office of Foreign Assets Control at the Treasury Department.

Google as well as cybersecurity businesses Recorded Future and Proofpoint have said that APT42 operates on behalf of Iranian authorities.

Earlier this year, cybersecurity company Mandiant said that the group’s activities were directed by Iran’s Islamic Revolutionary Guard Corps.

APT42 uses sophisticated social engineering strategies in disguising phishing attempts, HRW said.

In gaining the trust of victims, APT42 members use the real information of conference organizers to create fake accounts and contact high-profile activists and officials.

Previous attacks have seen the group impersonate members of the Munich Security Conference and the G20 Think 20 Summit in Saudi Arabia to contact targets and launch phishing attacks.

Abir Ghattas, information security director at HRW, said: “Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups.

“This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

She added: “In a Middle East region rife with surveillance threats for activists, it’s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region’s embattled activists, journalists and civil society leaders.”