Security researchers have uncovered another state-backed Iranian threat group with activity dating back at least seven years.
Threat intelligence firm Mandiant claimed to have found at least 30 victims of APT42, although it said the count is likely much higher given the group’s “high operational tempo” and researchers' visibility gaps stemming from its targeting of personal email accounts.
Based on APT42’s targeting patterns, Mandiant assessed with “moderate confidence” that it is operating on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).
“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK and Israel, working on Iran-related projects,” it said.
“Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.”
APT42 is primarily focused on cyber-espionage, using highly targeted spear-phishing and social engineering techniques to access personal and corporate email accounts, or to install Android malware on mobile devices.
The group is also capable of collecting two-factor authentication codes to bypass more secure authentication methods, and sometimes uses this access to compromise employers, colleagues, and relatives of the initial victim.
However, while credential theft is favored, the group has also deployed several custom backdoors and lightweight tools to further its objectives.
There’s also a crossover in “intrusion activity clusters” between APT42 and another Iran nexus threat actor, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware.
“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant said.
“We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open source information and operational security lapses by the threat actors.”