Israeli cyber and computer science experts phished by Iran-linked APT42
Iranian state-sponsored hackers have launched a new wave of phishing attacks targeting Israeli journalists, cybersecurity professionals and computer science professors, according to a Tel Aviv-based cybersecurity company.
The threat actor, known as APT42 and also tracked as Educated Manticore, Charming Kitten and Mint Sandstorm, is believed to operate under Iran’s Islamic Revolutionary Guard Corps (IRGC). In the group’s latest espionage campaign, hackers posed as employees of cybersecurity firms to trick high-profile Israeli targets into revealing their email credentials and two-factor authentication codes, according to researchers at Check Point.
Victims were approached through email and WhatsApp, the researchers said.
The phishing messages, which appear to have been crafted with AI assistance, initially contain no links, Check Point said. Instead, the attackers build trust through realistic communication before directing victims to phishing links disguised as Google Meet invitations or Gmail login pages.
The attackers have used similar tactics in previous campaigns, impersonating high-profile individuals or researchers from well-known institutions to lure targets. In one case attributed to APT42 last year, a prominent Jewish religious figure was sent malware under the guise of a podcast invitation.
Cybersecurity researchers around the world are on heightened alert for potential Iranian cyberattacks following a recent escalation in tensions between Israel and Iran. Palo Alto Networks said in a separate report on Wednesday that its analysts have not yet observed a sharp increase in Iran-linked cyberattacks, but warned that threat activity is likely to intensify in the coming weeks.
Experts say Iranian cyber operations are often aimed at gathering intelligence and advancing political goals and may extend to critical infrastructure, vendors, and supply chains.
In addition to Israel, Iran targets its adversaries across Europe. Earlier this week, an Iranian hacker group disrupted multiple public services in Albania’s capital, Tirana, taking down the city’s official website and affecting local government operations, according to local media reports.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.