APT42 hackers masquerade as journalists to steal credentials, access cloud data

May 7, 2024
1 min read




Article Summary

TLDR:

  • APT42 hackers posing as journalists to harvest credentials and access cloud data
  • Social engineering schemes used to infiltrate target networks and cloud environments

In a report published last week, Google Cloud subsidiary Mandiant revealed that APT42, an Iranian state-backed hacking group, has been utilizing enhanced social engineering tactics to gain access to Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists. By masquerading as journalists and event organizers, APT42 was able to build trust with their victims and ultimately harvest credentials to infiltrate cloud environments. The group is connected to APT35 and operates under the Islamic Revolutionary Guard Corps (IRGC) to conduct information collection and surveillance.

The cyber attacks orchestrated by APT42 involve credential harvesting operations through phishing campaigns targeting high-profile individuals in universities and research organizations. The group uses custom backdoors like NICECURL and TAMECAT to execute commands and exfiltrate data of strategic interest to Iran. APT42’s tactics aim to leave a minimal footprint and make detection and mitigation challenging for network defenders. While other Iranian-nexus actors adapt by engaging in disruptive activities, APT42 remains focused on intelligence collection and targeting specific victims.

Overall, the article highlights the sophisticated methods employed by APT42 to launch targeted cyber attacks, emphasizing the importance of robust cybersecurity measures to combat such threats in cloud environments.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and