Critical Infrastructure Security, Threat Intelligence

Media, think tank, service spoofing conducted in APT42 cyberespionage operations

Flag of Iran on binary code

Iranian state-backed hacking operation APT42 — also known as Mint Sandstorm, Mint Phosphorous, Charming Kitten, and TA453 — has spoofed major news organizations, including The Washington Post, think tanks, such as the McCain Institute, and internet services, such as Gmail, YouTube, and Google Drive, as part of cyberespionage campaigns against journalists and human rights activists, reports CyberScoop.

Malicious emails containing fraudulent conference invitations and documents have been delivered by APT42 using fake personas to facilitate the exfiltration of targets' credentials, which would then be used for initial cloud environment access, according to a report from Mandiant and Google Cloud. Further examination of APT42's social engineering techniques revealed that attachments used by attackers did not have malware but were instead intended to bolster rapport with their victims. APT42 also took advantage of open-source tools and other systems to exfiltrate confidential data that could be useful to Iran without being detected.

"The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.