Google on Wednesday announced that it disrupted an Iranian state-sponsored hacking campaign targeting the personal email accounts of individuals associated with the US elections.
The campaign has been attributed to APT42, an Iranian nation-state hacking group also tracked as Calanque and UNC788, and associated with the Islamic Revolutionary Guard Corps (IRGC) intelligence agency. The attacks occurred in May and June, and targeted dozens of individuals.
The intended victims include former US government officials and people affiliated with President Biden and with former President Trump election campaigns.
“We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals,” Google says.
Following a recent Microsoft report on Iranian hackers compromising the email accounts of individuals linked to the US elections, Google has observed APT42 logging in to the Gmail account of a high-profile political consultant.
“In addition to our standard actions of quickly securing any compromised account and sending government-backed attacker warnings to the targeted accounts, we proactively referred this malicious activity to law enforcement in early July and we are continuing to cooperate with them,” Google says.
The advanced persistent threat (APT) actor’s phishing campaigns involve malicious links included either in email bodies or in PDF attachments. Using social engineering, the threat actor would also lure victims into video meetings and then send them links to phishing pages.
Google, which disrupted more than 50 APT42 phishing campaigns over the past six months, explains that the attackers have been abusing popular services such as Google Sites, Google Meet, OneDrive, Dropbox, and Skype as part of the phishing attacks.
The threat actor was also seen sending legitimate PDF attachments to encourage the intended targets into engaging on other platforms as well, including Signal, Telegram, and WhatsApp.
According to Google, the APT also uses several phishing kits, including the GCollection/LCollection/YCollection credential harvesting tool targeting Google, Hotmail, and Yahoo users, and DWP, a browser-in-the-browser phishing kit.
“This spear phishing is supported by reconnaissance, using open-source marketing and social media research tools to identify personal email addresses that might not have default multi-factor authentication or other protection measures that are commonly seen on corporate accounts,” Google notes.
APT42 shows good understanding of the targeted email providers and has added support for targeting multi-factor authentication protections in its phishing kits, which, combined with knowledge of the target, allows it to provide the correct credentials and correct second factor originating from the correct geographic location.
Once it has compromised an account, the threat actor often changes the access mechanism by updating the recovery email address or by adding applications that do not support multi-factor authentication.
APT42 continues to target the personal email accounts of people affiliated with President Biden, Vice President Harris, and former President Trump, while also intensifying attacks against high-profile users in Israel, the internet giant adds.
“In the past six months, the US and Israel accounted for roughly 60% of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both US presidential campaigns,” the company says.
The threat actor’s activity in Israel also targeted individuals in the defense sector, diplomats, academics, and civil society, including NGOs and political entities.
Previous reporting has shown that APT42 impersonates organizations of interest to the target of its phishing attacks. In recent campaigns, the group was seen impersonating the Washington Institute for Near East Policy, the Institute for the Study of War, and the Brookings Institution.
“APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics. This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the US As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42,” Google notes.
Related: What We Know About Suspected Iranian Cyber Intrusion in the US Presidential Race
Related: FBI Says It Is Investigating After Trump Campaign Said Sensitive Documents Were Hacked by Iran
Related: US Offering $10 Million Reward for Iranian ICS Hackers
Related: US Charges Iranian Over Cyberattacks on Government, Defense Organizations
