Full Report
Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor.
Analysis Summary
# Threat Actor: APT42
## Attribution & Identity
- **Attribution:** Iranian government-backed threat actor.
- **Association:** Associated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
- **Aliases:** Not explicitly detailed in this excerpt, but context implies it is a known entity tracked by Google TAG.
## Activity Summary
APT42 has been actively conducting targeted phishing campaigns, with recent efforts focused heavily on **Israel and the U.S.** between February and late July 2024. This activity aligns with supporting Iran’s political and military priorities.
Specific observed activities include:
1. **Intensified Targeting of Israel (April 2024):** Focused on individuals connected to the Israeli military/defense sector, diplomats, academics, and NGOs.
2. **U.S. Presidential Election Targeting:** Confirmation of targeting accounts associated with the U.S. presidential election cycle (consistent with past activity during the 2020 election).
3. **Social Engineering Precursors:** Sending benign initial emails to high-profile targets (e.g., journalists requesting comment from former Israeli military officials) to encourage engagement before attempting compromise.
## Tactics, Techniques & Procedures
- **Spearphishing:** Heavy reliance on email phishing campaigns.
- **Abuse of Legitimate Services:** Hosting malware, phishing pages, and malicious redirects via abuse of services like Google (Sites, Drive, Gmail), Dropbox, and OneDrive.
- **Impersonation/Social Engineering:** Used extensively to appear credible, often impersonating legitimate organizations or researchers.
- **Typosquatting:** Registering domains extremely close to legitimate organizational domains (e.g., `understandingthewar[.]org` impersonating the Institute for the Study of War, and `brookings[.]email` spoofing the Brookings Institution).
- **Credential Harvesting via Phishing Kits:** Deployment of sophisticated phishing kits disguised to look like legitimate login pages (e.g., spoofed Google Drive or password portals).
- **Obfuscation/Redirection:** Using shortened URLs and services like ngrok to redirect users to final phishing landing pages (e.g., in April 2024, using an ngrok redirect URL within a Google Sites page).
- **Benign Initial Contact:** Sending emails with benign PDF attachments (e.g., impersonating Project Aladdin) containing shortened URLs leading to phishing kits.
## Targeting
- **Sectors:** Government (current/former officials), Political Campaigns (U.S. presidential election), Defense/Military (including aerospace executives), Diplomats, Think Tanks, NGOs, and Academic Institutions contributing to foreign policy.
- **Geography:** Israel and the U.S. accounted for roughly 60% of known geographic targeting in the past six months.
- **Victims:** Former senior Israeli military officials, individuals affiliated with U.S. presidential campaigns, Israeli diplomats, academics, and U.S. military members.
## Tools & Infrastructure
- **Malware Families/Artifacts:** NEWSTERMINAL, OFFICEFUEL, FUELDUMP, GORBLE PS (LNK/Stage 1/Stage 2).
- **Infrastructure (Domains/URLs):**
- **Impersonating Washington Institute:** Not stated, but implied domain use.
- **Typosquatting:** `understandingthewar[.]org`, `brookings[.]email`.
- **Phishing Kit Domains/Redirects:** `accredit-navigation[.]online`, `n9[.]cl/4xgro` (ngrok redirect), `panel-short-check[.]live`, `check-pabnel-status[.]live`, `meetroomonlin1925.w3spaces[.]com`, `smaaaal[.]cfd`, `click-choose-figured[.]cfd`, `short-ion-per[.]live`, `checking-paneling[.]live`, `sharedrive.webredirect[.]org`, `visioneditor.loseyourip[.]com`, `s3api[.]shop`.
- **Cloud Abuse:** `firebasestorage.googleapis[.]com/v0/b/share-box-5f395.appspot.com/o/onedrive-qrty45.html`.
- **IP Addresses (C2):** 49.13.194[.]118, 91.107.150[.]184.
## Implications
APT42 poses a significant, persistent threat to Western geopolitical and military interests, demonstrating high operational tempo and rapid adaptation to blend social engineering with technical infrastructure abuse. Their consistent focus on election-related targets and sensitive diplomatic/military figures underscores their role in executing Iranian state intelligence objectives.
## Mitigations
- **Account Security:** Resetting compromised accounts and issuing government-backed attacker warnings to targeted users.
- **Detection Updates:** Updating security detections to recognize new campaign indicators.
- **Infrastructure Disruption:** Disrupting malicious pages (e.g., Google Sites abuse) and adding associated domains/URLs to blocklists (Safe Browsing).
- **User Education:** Awareness training regarding emails impersonating researchers (like the Washington Institute) or containing benign-looking attachments that redirect to credential harvesters.
- **Domain Vigilance:** Monitoring for typosquatted domains targeting organizational aliases.