Over 30 documented espionage operations against people and organizations of strategic relevance to the Iranian government since 2015 have been linked to a state-sponsored advanced persistent threat (APT) actor recently dubbed APT42 (formerly UNC788). According to cybersecurity firm Mandiant, the group (aka Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda) operates as the intelligence arm of Iran’s Islamic Revolutionary Guard Corps (IRGC). It also shares some overlaps with another cluster called APT35.
In at least 14 countries, including Australia, Europe, the Middle East, and the United States, APT42 has shown a tendency to target various industries, including non-profits, education, manufacturing, governments, media, healthcare, legal, and pharmaceuticals. The fact that attacks against the pharmaceutical industry began in March 2020, at the start of the COVID-19 pandemic, highlights the threat actor’s capacity to adapt its campaigns to suit its operational goals quickly.
“APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices,” said Mandiant in a report.
The intention is to employ the fake trust connections to steal credentials and use that access to carry out other hacks of business networks to obtain sensitive information and use the compromised accounts to phish other victims. A combination of highly targeted spear-phishing communications is used in attack chains to strategically target people and organizations that are important to Iran. To spread malware, they are also designed to gain the trust of former government officials, journalists, decision-makers, and the Iranian diaspora overseas.
APT42 is frequently known to impersonate journalists and other professionals to communicate with the victims for days or weeks before releasing a dangerous link. This also exploits compromised email accounts connected with think tanks to target researchers and other academic groups. In one attack seen in May 2017, the perpetrators sent emails containing links to fake Google Books pages that redirected victims to sign-in pages intended to steal credentials and two-factor authentication codes. The emails were sent to members of an Iranian opposition group operating out of Europe and North America.
Android malware, including VINETHORN and PINEFLOWER, which can capture audio and phone conversations, extract multimedia material and SMSes, and monitor geolocations, are distributed through text messages as part of surveillance operations. Between April and October 2021, a VINETHORN payload was discovered, disguising itself as the VPN program SaferVPN. The organization is also rumored to occasionally employ a variety of lightweight Windows malware, including the reverse shell macro known as VBREVSHELL, the PowerShell toehold backdoor known as TAMECAT, and the VBA-based macro dropper known as TABBYCAT.
APT42’s connections to APT35 come from UNC2448, an unclassified threat cluster that Secureworks (Cobalt Mirage) and Microsoft (DEV-0270) identified as a Phosphorus subgroup conducting BitLocker-based ransomware attacks. Microsoft discovered that DEV-0270/UNC2448 is run by a front organization using two public aliases, Secnerd and Lifeweb, which are tied to Najee Technology Hooshmand, which is further supported by Mandiant’s study.
It is believed that the two antagonistic collectives, although connected to the IRGC, are the result of distinct missions, as seen by the variations in their methods and targeting strategies. The focus of APT42’s operations is on people and entities for “domestic politics, foreign policy, and regime stability purposes,” as opposed to APT35’s long-term, resource-intensive operations that target various industrial verticals in the US and the Middle East.