Iran-sponsored hackers used malware to track locations, record phone calls, and extract text messages from targets, according to cybersecurity firm Mandiant.
People in the U.S., U.K. and Israel are particularly at-risk, as the cyberattackers aim to victimize western government officials, Iranian dissidents, and academics and journalists.
Mandiant said it assessed the hacking group APT42 to be operating on behalf of the Iranian government.
“Mandiant assesses with high confidence that APT42 is a prolific and well-resourced threat actor that carries out Iranian state-sponsored espionage and surveillance activity in support of Iran’s strategic priorities,” Mandiant said in a new report Wednesday. “The group has been active since at least early 2015 and relies primarily on highly targeted social engineering efforts to achieve its objectives against both individuals and organizations of interest to the Iranian government.”
The hackers are skilled in stealing credentials for personal and corporate email accounts, surveilling through Android mobile malware and having the ability to create custom backdoors into a device.
Mandiant said it has confirmed more than 30 operations using these tactics by the hackers since 2015. The cyber firm said it most recently detected malware used for surveillance and monitoring against targets between June and August of 2022.
“APT42 has consistently targeted Western think tanks and academics, media organizations, members of the Iranian diaspora in the United Kingdom, Israel, the United States and high-profile Iranian individuals within Iran in efforts to collect credentials of individuals of interest to the Iranian government,” the report said.
The hackers have imitated prominent organizations to compromise people. In 2021, the hackers mimicked a Gmail login page to target a senior Israeli official and in 2017, the hackers sent links to fake Google Books pages that redirected people to sign-in pages where the hackers could steal their passwords.
“In the weeks ahead of Iran’s June 18, 2021, presidential election, APT42 used a compromised email address belonging to an Iran researcher at a U.S. think tank to spear phish a member of an Iranian opposition group headquartered in Europe in a probable attempt to gain access to the organization and its other members,” the report said. “The group impersonated the researcher and invited the target to review and provide feedback on one of the researcher’s articles on Iranian nuclear issues in a likely effort to build trust with the target before engaging in further conversation.”
While pinpointing precisely who was responsible for the hacks has proven difficult, Mandiant said it had moderate confidence that the hackers were working for the Intelligence Organization of the Islamic Revolutionary Guard Corps based on the hackers’ targeting pattern and longevity. The cyber firm also noted that the hackers appeared impervious to infrastructure takedowns intended to disrupt their work.
Iran’s recent cyberattacks have been felt around the world. Earlier this week, Albania cut diplomatic ties with Iran and expelled its embassy staff over a cyberattack allegedly conducted by Iran. The Biden administration condemned the attack on Wednesday.
In the U.S., FBI Director Christopher A. Wray said in June that Iran-sponsored cyberattackers previously planned to hit Boston Children’s Hospital but were stopped.