A Google report revealed details of an Iranian hacker campaign.
Google joined Microsoft in publishing information about cyber activity from Iran after the recent wave of attacks that led to data leaks from the campaign headquarters of Donald Trump. Google's Threat Analysis Group (TAG) has confirmed that Iran is behind the incident, namely its APT42 group, which is part of the Islamic Revolutionary Guard Corps (IRGC).
TAG also reported that many other attacks were prevented prior to this incident. The activity of Iranian hackers increased significantly in May. Currently, attempts to attack the teams of President Joe Biden, Vice President and Democratic candidate Kamala Harris, and Donald Trump are continuing.
The APT42 group uses a phishing method, which Google experts have designated as "Cluster C". The use of this method began in 2022 and includes attempts to disguise themselves as non-governmental organizations and services like "Mailer Daemon". During the attacks, the link shortening service Bitly is actively used, which allows attackers to distribute phishing links to targeted individuals, such as military and political figures, as well as academics. Recipients of such emails often encounter phishing pages disguised as conference registration forms or documents in cloud services, which allows cybercriminals to lure out credentials.
According to Google, in May and June, APT42 targeted the personal email accounts of about a dozen individuals associated with Joe Biden and Donald Trump, including current and former employees of the US government, as well as participants in election campaigns.
Social engineering is also actively used by APT42 to implement attacks. One method is to create fake video calls through fake websites controlled by malicious users. Victims are sent email links to participate in video calls, where they are prompted to enter their credentials, which are then stolen. In most cases, attackers fake the Google Meet service, but other fake Google sites were also recorded, which were used in more than 50 different campaigns. TAG experts noted that special care should be taken when getting links to Dropbox, OneDrive, and Skype, which are also used in such attacks.
In some cases, victims may be sent PDF documents that appear harmless at first glance. The purpose of such documents is to gain trust and transfer communication to other platforms, such as Signal, Telegram or WhatsApp, where attackers try to convince the victim to download tools to steal credentials.
The most advanced set of tools used by APT42 is known as GCollection, and has been continuously updated since January 2023. This kit provides a seamless process, including features such as multi-factor authentication, device PIN codes, and one-time recovery codes for the Google, Hotmail, and Yahoo mail platforms.
The intelligence methods used by APT42 include using open sources and social media to search for personal email addresses, which may be less secure compared to corporate accounts. After gaining access to the account, attackers add additional mechanisms for re-logging in, including changing backup email addresses and using passwords designed for applications that do not support multi-factor authentication.
APT42 uses similar methods of social engineering and phishing in attacks on Israeli officials in the military, defense and academic spheres, as well as in non-governmental organizations. Attacks are often accompanied by fake petitions and fake journalists who try to get comments from high-ranking individuals in order to then compromise their accounts.
Source
Google joined Microsoft in publishing information about cyber activity from Iran after the recent wave of attacks that led to data leaks from the campaign headquarters of Donald Trump. Google's Threat Analysis Group (TAG) has confirmed that Iran is behind the incident, namely its APT42 group, which is part of the Islamic Revolutionary Guard Corps (IRGC).
TAG also reported that many other attacks were prevented prior to this incident. The activity of Iranian hackers increased significantly in May. Currently, attempts to attack the teams of President Joe Biden, Vice President and Democratic candidate Kamala Harris, and Donald Trump are continuing.
The APT42 group uses a phishing method, which Google experts have designated as "Cluster C". The use of this method began in 2022 and includes attempts to disguise themselves as non-governmental organizations and services like "Mailer Daemon". During the attacks, the link shortening service Bitly is actively used, which allows attackers to distribute phishing links to targeted individuals, such as military and political figures, as well as academics. Recipients of such emails often encounter phishing pages disguised as conference registration forms or documents in cloud services, which allows cybercriminals to lure out credentials.
According to Google, in May and June, APT42 targeted the personal email accounts of about a dozen individuals associated with Joe Biden and Donald Trump, including current and former employees of the US government, as well as participants in election campaigns.
Social engineering is also actively used by APT42 to implement attacks. One method is to create fake video calls through fake websites controlled by malicious users. Victims are sent email links to participate in video calls, where they are prompted to enter their credentials, which are then stolen. In most cases, attackers fake the Google Meet service, but other fake Google sites were also recorded, which were used in more than 50 different campaigns. TAG experts noted that special care should be taken when getting links to Dropbox, OneDrive, and Skype, which are also used in such attacks.
In some cases, victims may be sent PDF documents that appear harmless at first glance. The purpose of such documents is to gain trust and transfer communication to other platforms, such as Signal, Telegram or WhatsApp, where attackers try to convince the victim to download tools to steal credentials.
The most advanced set of tools used by APT42 is known as GCollection, and has been continuously updated since January 2023. This kit provides a seamless process, including features such as multi-factor authentication, device PIN codes, and one-time recovery codes for the Google, Hotmail, and Yahoo mail platforms.
The intelligence methods used by APT42 include using open sources and social media to search for personal email addresses, which may be less secure compared to corporate accounts. After gaining access to the account, attackers add additional mechanisms for re-logging in, including changing backup email addresses and using passwords designed for applications that do not support multi-factor authentication.
APT42 uses similar methods of social engineering and phishing in attacks on Israeli officials in the military, defense and academic spheres, as well as in non-governmental organizations. Attacks are often accompanied by fake petitions and fake journalists who try to get comments from high-ranking individuals in order to then compromise their accounts.
Source
