In its analysis, conducted alongside Amnesty International’s Security Lab, HRW identified 18 victims who had been targeted as part of the same campaign, and 15 of these targets confirmed that they had received the same WhatsApp messages between September 15 and November 25.
How APT42 operates
As per security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices. In addition, APT42 infrequently uses Windows malware to complement their credential harvesting and surveillance efforts.
APT42 operations broadly fall into three categories
Credential harvesting: APT42 frequently targets corporate and personal email accounts through highly targeted spear-phishing campaigns with enhanced emphasis on building trust and rapport with the target before attempting to steal their credentials. Mandiant also has indications that the group leverages credential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.
Surveillance operations: As of at least late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.
Malware deployment: While APT42 primarily prefers credential harvesting over activity on disk, several custom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools into their operations when the objectives extend beyond credential harvesting.
Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.
Also watch:
Data of nearly 500 million WhatsApp users leaked, How to check if you’re data is at risk
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.