May 6, 2024 at 09:15AM
Iran’s state-sponsored cyberespionage group APT42, also known as Calanque and UNC788, has been using new backdoors to target NGOs, government, and intergovernmental organizations. The group, operating since at least 2015 and believed to be linked to the Islamic Revolutionary Guard Corps, uses social engineering to target academia, activists, media organizations, and more. They rely on various schemes to access cloud environments and exfiltrate data, using open source tools and built-in features to avoid detection. Mandiant has identified clusters of infrastructure used in extensive credential harvesting campaigns against various sectors, with the group deploying custom backdoors in recent attacks.
From the meeting notes, the key takeaways are:
1. APT42, a state-sponsored cyberespionage group believed to operate on behalf of the Iranian Revolutionary Guard Corps, has been using new backdoors in recent attacks targeting NGOs, government, and intergovernmental organizations.
2. The group has been observed targeting academia, activists, legal services, media organizations, and NGOs in Western and Middle Eastern countries, typically relying on social engineering schemes to gain the trust of victims.
3. APT42 uses credentials harvested from its victims to access cloud environments and exfiltrate data of interest and relies on open source tools and built-in features to avoid detection.
4. Mandiant has identified three clusters of infrastructure used in extensive credential harvesting campaigns against the government sector, journalists, and NGOs and activists, with each cluster targeting different victim groups and using various social engineering techniques.
5. APT42 has been seen exfiltrating documents of interest from the Microsoft 365 environments of legal services entities and NGOs in the US and the UK, after obtaining victim credentials and bypassing multi-factor authentication (MFA) through push notifications.
6. In recent attacks, the cyberespionage group was observed deploying the Nicecurl and Tamecat custom backdoors in attacks targeting NGOs, government, or intergovernmental organizations associated with issues related to Iran and the Middle East.
7. APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite other Iran-nexus actors adapting by conducting disruptive and destructive activities.
8. Some of APT42’s activities overlap with the operations of Charming Kitten, another Iranian hacking group.
Additionally, it’s noted that the US has charged an Iranian over cyberattacks on government and defense organizations, and Iranian hackers have targeted the aviation and defense sectors in the Middle East and ramped up cyberattacks on Israel amid the Hamas conflict.