Google raps Iran's APT42 for raining down spear-phishing attacks
US politicians and Israeli officials among the top targets for the IRGC’s cyber unit
Google has joined Microsoft in publishing intel on Iranian cyber influence activity following a recent uptick in attacks that led to data being leaked from the Trump re-election campaign.
The tech giant's Threat Analysis Group (TAG) confirmed that Iran was behind the incident, specifically its APT42 group which is part of the Islamic Revolutionary Guard Corps (IRGC).
It also said that numerous other attacks were thwarted prior to that after Iranian activity ramped up in May. Active attacks that are continuing to be blocked include several targeting the teams of President Joe Biden, vice-president and current Democratic presidential nominee Kamala Harris, and Donald Trump, who is challenging for a second stint in the Oval Office.
APT42 is largely relying on what Google's TAG calls "Cluster C" phishing activity – distinguished methods that have been in use since 2022, characterized by attempts to impersonate NGOs and "Mailer Daemon."
These phishing attempts also make use of Bitly's link-shortening service. Targets such as defense and political officials, as well as academics, are spear-phished with links to conference signup pages, for example, or sent cloud-hosted documents, both of which prompt the recipient to enter their user credentials.
"In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the US government and individuals associated with the respective campaigns," Google's TAG said.
"We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals."
How to spot an APT42 phish
In addition to the Cluster C activity already outlined, APT42 will often do a spot of social engineering to kick things off.
A common tactic is setting up video calls using spoofed, attacker-controlled landing pages. Targets are emailed a join link, which prompts them for login credentials, which are of course then stolen because it's not a real website.
Google Meet is spoofed a lot of the time, and TAG said other fake Google sites have been spotted in more than 50 different campaigns. You should be extra wary of Dropbox, OneDrive, and Skype links too, Google said.
PDFs might also be sent. Google didn't say exactly what these are, but they're likely benign and used only to build trust before moving the conversation to a messaging platform such as Signal, Telegram, or WhatsApp.
From there, attackers are expected to trick you into downloading a credential-harvesting kit. GCollection (aka LCollection and YCollection) has been in use and under constant development since January 2023, and is the kit Google deems the most sophisticated that APT42 uses.
It now supports a "seamless flow" including convincing features like MFA, device PINs, and one-time recovery codes for email platforms Google, Hotmail, and Yahoo.
DWP might also be dropped, often via a URL shortener, but is less fully featured than GCollection.
"This spear phishing is supported by reconnaissance, using open-source marketing and social media research tools to identify personal email addresses that might not have default multi-factor authentication or other protection measures that are commonly seen on corporate accounts," said Google.
- China-linked cyber-spies infect Russian govt, IT sector
- Kamala Harris's $7M support from LinkedIn founder comes with a request: Fire Lina Khan
- Trump campaign cites Iran election phish claim as evidence leaked docs were stolen
- Pro-Iran groups lay groundwork for 'chaos and violence' as US election meddling attempts intensify
"Once APT42 gains access to an account, they often add additional mechanisms of access including changing recovery email addresses and making use of features that allow applications that do not support multi-factor authentication like application-specific passwords in Gmail and third-party app passwords in Yahoo. Google's Advanced Protection Program revokes and disables these application-specific passwords in Gmail, protecting users from this tactic."
Israel attacks spike again
Similar phishing and social engineering tactics were observed in the targeting of Israeli officials across the military, defense, academic, and NGO sectors.
Google's TAG noticed the latest spike in this activity in late July after originally peaking in April. APT42's phishing efforts in Israel regularly peak and trough, although it never flatlines – there is always a low-level number of attacks ongoing at any one time.
The group does, however, use specific lures for Israeli targets, many of which are themed around the current conflict between the country and Palestine.
Multiple web pages imitating a petition from the Jewish Agency for Israel were stymied by Google after finding them set up using Google Sites. The petition called for an end to the conflict but just redirected visitors to phishing pages.
APT42 has also been spotted posing as reporters, contacting senior officials directly for comment on stories related to missile strikes – all to build a rapport with the targets before trying to compromise their accounts. ®