Google’s Threat Analysis Group (TAG) has recently shared critical insights into the operations of APT42, an Iranian government-backed threat actor closely associated with Iran’s Islamic Revolutionary Guard Corps (IRGC). APT42 has ramped up its targeted phishing campaigns, particularly against Israel and accounts linked to the U.S. presidential election, highlighting a significant escalation in their activities.
APT42’s Targeting Patterns
APT42 has consistently focused on high-profile targets in both Israel and the U.S., including current and former government officials, diplomats, political campaigns, and individuals involved with think tanks, NGOs, and academic institutions influencing foreign policy. In the past six months, approximately 60% of APT42’s known geographic targeting has been concentrated in these two countries, underlining their strategic importance to the group’s objectives.
Spike in Targeting of Israeli Entities
Between February and July 2024, APT42 intensified its focus on Israel, targeting users with connections to the Israeli military, defense sector, diplomats, academics, and NGOs. In April, the group escalated its efforts, utilizing a variety of phishing tactics, including hosting malware, phishing pages, and malicious redirects. They often exploit popular services such as Google, Dropbox, and OneDrive to achieve their malicious aims.
One notable campaign involved APT42 creating a fake Google Sites page, masquerading as a petition from the legitimate Jewish Agency for Israel. This page, designed to deceive users into believing it was authentic, was used to harvest credentials through malicious redirects.
Credential Phishing Campaigns
APT42’s credential phishing campaigns are characterized by their sophisticated social engineering techniques, often impersonating legitimate organizations to appear credible. In one campaign, they masqueraded as the Washington Institute for Near East Policy to target Israeli diplomats, journalists, and U.S. think tank researchers. They have also used typosquat domains to deceive targets, such as “understandingthewar[.]org” to impersonate the Institute for the Study of War.
Focus on U.S. Presidential Election
APT42 has also targeted individuals affiliated with the U.S. presidential election, including current and former officials connected to both President Biden and former President Trump. Between May and June 2024, TAG detected attempts to compromise the personal email accounts of approximately a dozen individuals linked to these campaigns. Although TAG successfully blocked these attempts, they confirmed that APT42 had gained access to some accounts across multiple email providers.
Google’s Response
In response to these threats, Google’s TAG has taken several measures to disrupt APT42’s operations. This includes resetting compromised accounts, issuing government-backed attacker warnings to affected users, updating detection systems, and dismantling APT42’s infrastructure, including the removal of malicious Google Sites pages and the addition of harmful domains to Google’s Safe Browsing blocklist.
Google has also actively cooperated with law enforcement and advised campaign officials to enhance security protections, particularly given the increased threat from foreign state actors.
Conclusion
APT42’s aggressive and evolving tactics underscore the group’s commitment to advancing Iran’s political and military interests through cyber-espionage. As TAG continues to monitor and disrupt these campaigns, the importance of robust cybersecurity measures remains paramount for those in high-risk sectors.
