Iranian hackers spy on journalists and government officials, researchers warn

Cybersecurity researchers have uncovered another Iranian state-sponsored hacking group that has been targeting government officials, journalists, academics, and opposition leaders around the world for at least seven years.

According to research published Wednesday by the cybersecurity firm Mandiant, the Iranian advanced persistent threat group, which it refers to as APT42, is linked to the country’s intelligence services.

Mandiant has confirmed at least 30 cyber operations carried out by APT42 since 2015, although researchers say that the exact number is likely much higher. Among their operations, the group targeted the pharmaceutical sector at the onset of the COVID-19 pandemic and pursued domestic and foreign-based opposition groups prior to the recent Iranian presidential elections.

The size of the gang is unclear, but Mandiant’s analyst Emiel Haeghebaert believes that APT42 is “well resourced,” as it frequently procures new infrastructure and simultaneously conducts credential harvesting and surveillance operations, as well as incorporating Windows malware into its activity. 

The group “may have multiple teams responsible for the various elements of their operations,” Haeghebaert told The Record.

Mandiant’s report coincided with Albania’s announcement on Thursday that it severed diplomatic ties with Iran and expelled the country’s embassy staff over a cyberattack on Albanian government websites that was allegedly carried out by Tehran nearly two months ago.

A NATO member, Albania is the first known country to cut off diplomatic ties in response to a cyberattack. 

U.S. National Security Council spokesperson Adrienne Watson called the Iranian cyberattack on Albania “a troubling precedent for cyberspace,” while the UK foreign secretary James Cleverly said that Iran’s actions showed “a blatant disregard” for the Albanian people. The Ukrainian security official Victor Zhora called the attack another example of “state-sponsored cyber terrorism.”

A global and domestic operation

According to Mandiant’s research on APT42, the UK, the U.S., and Ukraine are among the group’s targets, along with Australia, Italy, Israel, Bulgaria, and Norway. The Iranian hackers have consistently targeted Western think tanks, researchers, journalists, Western government officials, former Iranian government officials and the Iranian diaspora abroad.

In September 2021, for example, APT42 used a compromised European government email account to send a phishing email to almost 150 addresses associated with individuals linked to civil society and government organizations around the world. 

Much of APT42’s activity, however, is focused on the Middle East, including Iran itself, where pro-government hackers spy on opposition groups, independent journalists, and human rights activists, the researchers say.

The operations, Mandiant said, are in Tehran's interests. 

“APT42 is trusted by the Iranian government to quickly react to geopolitical changes,” they wrote.

The group’s hackers follow a similar pattern, according to Mandiant. First, they build trust and rapport with their victims to gain access to personal and corporate email accounts.

Sometimes they spend days or weeks cultivating a victim before sending a malicious link. In one case, a hacker posing as a well-known journalist from a U.S. media organization communicated with his victims for 37 days before finally directing them to a credential harvesting page, according to Mandiant.

Apart from credential harvesting, the group also uses mobile malware to target the so-called “enemies of the regime.” APT42 likely delivers its Android malware, such as VINETHORN and PINEFLOWER, via text messages.

The use of Android malware allows APT42 to obtain sensitive information on its victims, including their movement, contacts, and personal information. 

The group’s ability to record phone calls, activate the microphone and record audio, read SMS messages and track the victim's GPS location “poses a real-world risk” to its victims, the researchers said.

Mandiant concluded that APT42 will continue to conduct cyber operations to support Iran’s strategic priorities. Such cyber operations, according to Haeghebaert, are “a complement” to other tools used by states to further their interests domestically, in the region, and around the world. 

As Albania's decision to sever diplomatic ties with Iran shows, governments take these cyber operations seriously and are ready to take action.

“If these cyber operations have tangible disruptive effects, as was the case with Iran's operation in Albania, states may choose to use any of their economic, diplomatic, or military tools in a proportionate response in attempts to deter similar activity in the future,” Haeghebaert told The Record.