August 15, 2024 at 12:30PM
Google confirmed Iranian cyber influence activity targeting US political figures, including Trump, Biden, and Harris, with phishing tactics and social engineering. APT42, part of the Iranian Revolutionary Guard Corps, used “Cluster C” phishing activity and Bitly links to target officials. Similar attacks were observed on Israeli officials, themed around the conflict with Palestine.
Based on the meeting notes, the key takeaways are:
1. APT42, a group associated with the Islamic Revolutionary Guard Corps (IRGC) in Iran, has been attributed to cyber influence activities targeting the reelection campaigns of President Joe Biden, vice-president and current Democratic presidential nominee Kamala Harris, and Donald Trump.
2. The group employs sophisticated phishing methods, including impersonating NGOs and using Bitly’s link-shortening service to target defense and political officials, as well as academics.
3. APT42 conducts reconnaissance using open-source marketing and social media research tools to identify personal email addresses and uses specific lures for Israeli targets, themed around the current conflict between Israel and Palestine.
4. Google’s Threat Analysis Group (TAG) observed an increase in phishing efforts by APT42 in Israel, including posing as reporters and setting up fake web pages imitating a petition from the Jewish Agency for Israel.
5. The group also uses social engineering tactics such as setting up spoofed video calls and sending PDFs to build trust before attempting to compromise accounts.
6. APT42’s phishing attempts involve the use of fake Google sites, Dropbox, OneDrive, and Skype links. It also utilizes a credential-harvesting kit known as GCollection, which supports a “seamless flow” including convincing features like multi-factor authentication and device PINs.
7. Google’s Advanced Protection Program revokes and disables the application-specific passwords in Gmail, protecting users from APT42’s tactics.
These takeaways provide insight into the specific methods and targets of APT42’s cyber influence activities, as well as the measures being taken to counter these threats.