The Iran-linked threat group possibly targeted US election campaign staff in 2019 and 2020, and it will not stop there …

Here are some updates on APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

Based on targeting patterns that align with the organization’s operational mandates and priorities, there is moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO). Further:

    • APT42 operations broadly fall into three categories: credential harvesting, surveillance ops, and malware deployment.
    • APT42 uses highly targeted spearphishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices.
    • APT42 infrequently uses Windows malware to complement their credential harvesting and surveillance efforts.
    • The threat group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad.
    • Some APT42 activity indicates the group alters its operational focus as Iran’s priorities evolve, to include targeted operations against the pharmaceutical sector at the onset of the COVID-19 pandemic in March 2020, and pursuing domestic and foreign-based opposition groups prior to an Iranian presidential election. This indicates that APT42 is trusted by the Iranian government to quickly react to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran.

Mandiant, the firm releasing its research on APT42, has observed over 30 confirmed targeted APT42 operations spanning the three categories above since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.

Possible links to ransomware  

Mandiant researchers further highlights open-source reporting from Microsoft claiming a connection between intrusion activity clusters that generally align with APT42 and UNC2448, an Iran-nexus threat actor known for widespread scanning for various vulnerabilities; the use of the Fast Reverse Proxy tool; and reported ransomware activity using BitLocker.

Notably, Mandiant has not observed technical overlaps between APT42 and UNC2448. Despite this, the latter may also have ties to the IRGC-IO. With moderate confidence, the firm feels that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.

Given the long history of activity and imperviousness to infrastructure take downs and a media spotlight on operational security failures APT42’s operational tactics and mandate are unlikely to change significantly. Nevertheless, the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change over time with evolving domestic and geopolitical conditions. With high confidence, APT42 is assessed to continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.