Iran-backed hackers linked to espionage campaign targeting journalists and activists • TechCrunch

2 min


195
134 shares, 195 points

Hackers backed by the Iranian government targeted human rights activists, journalists, diplomats and politicians working in the Middle East during an ongoing social engineering and credential phishing campaign, according to Human Rights Watch.

In an analysis published on Monday, Human Rights Watch said it had attributed the espionage campaign to APT42, an Iran-backed hacking group first identified by cybersecurity firm Mandiant in September. Mandiant said APT42 – also referred to as TA453, Phosphorus and Charming Kitten – supports Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts and has launched over 30 confirmed operations against various non-profit, education and government targets globally since 2015. 

Human Rights Watch said it first became aware of APT42’s latest espionage campaign after one of its employees received suspicious messages on WhatsApp from someone pretending to work for a think tank based in Lebanon. The advocacy group found that a link included in the message directed the target to a fake login page that captured their email password and multi-factor authentication code.

In its analysis, conducted alongside Amnesty International’s Security Lab, Human Rights Watch identified 18 additional victims who had been targeted as part of the same campaign, and 15 of these targets confirmed that they had received the same WhatsApp messages between September 15 and November 25. On November 23, a second Human Rights Watch staff member received the same WhatsApp messages from the same number that contacted other targets.

For the three people whose accounts were known to be compromised — a correspondent for a major U.S. newspaper, a women’s rights defender based in the Gulf region, and an advocacy consultant for Refugees International based in Lebanon — the attackers gained access to emails, cloud storage drives, contacts and calendars. In at least one case, the attackers also performed a Google Takeout, a service that exports all of an account’s activity and information, including web searches, payments, travel and locations, ads clicked on, YouTube activity, and additional account information. 

“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

In light of its investigation, Human Rights Watch is calling on Google to strengthen its Gmail account security warnings to protect better its most at-risk users, including journalists and human rights defenders, after it uncovered “inadequacies” in Google’s security protections. 

“Individuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or send a push message to the Gmail app on their phone,” Human Rights Watch said in its analysis. 

“Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International research team informed them and assisted them in removing the attacker’s connected device.”

Google spokesperson Kimberly Samra told TechCrunch that Google implements protections for high-risk users so their Google accounts are “protected against threats against Google services, or on other platforms as seen in this case.”

“Some of these protections include our Advanced Protection Program (APP) and 2-Step Verification (2SV) auto enrollments,” Samra said. “Google also remains committed to threat collaboration and sharing our ongoing research to raise awareness on bad actors across the industry, as it helps to more quickly respond to attacks and protect online users.”

Source: Tech Crunch


Like it? Share with your friends!

195
134 shares, 195 points

What's Your Reaction?

Cute Cute
18
Cute
Fun Fun
10
Fun
Hate Hate
5
Hate
Confused Confused
21
Confused
Fail Fail
13
Fail
Geeky Geeky
8
Geeky
Love Love
26
Love
OMG OMG
21
OMG
Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Countdown
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format