TLDR:
- Iranian hackers linked to APT42 targeted global political and diplomatic officials on WhatsApp.
- WhatsApp users’ vigilance led to the prevention of account compromises and WhatsApp is collaborating with industry peers to disrupt malicious activities.
WhatsApp’s security teams have identified and blocked a cluster of malicious activities originating from Iran. The targeted campaign, linked to the Iranian threat actor group APT42, focused on political and diplomatic officials across several countries, including Israel, Palestine, Iran, the United States, and the UK. APT42, also known as UNC788 and Mint Sandstorm, is notorious for its persistent adversarial campaigns. Known for employing basic phishing tactics, this group has been stealing credentials from online accounts across the internet. The recent WhatsApp campaign saw hackers pose as technical support for major tech companies like AOL, Google, Yahoo, and Microsoft, attempting to deceive high-profile individuals into revealing sensitive information.
WhatsApp users’ vigilance played a crucial role in thwarting this latest attack. Many individuals targeted by APT42 reported suspicious messages using WhatsApp’s in-app reporting tools, enabling WhatsApp’s security teams to investigate and link the activity to APT42, ultimately preventing any account compromises. WhatsApp remains committed to monitoring and disrupting malicious activities on its platform. The company collaborates with industry peers, such as Microsoft and Google, to stay informed about potential threats. When cyber espionage actors are detected, WhatsApp takes decisive action, including deleting their accounts, blocking the sharing of their domains, and notifying targeted individuals. Public figures, journalists, political candidates, and campaigns must remain vigilant, utilize privacy and security settings, and avoid engaging with unknown contacts.