What is APT42 attack that spread via WhatsApp and targets high-profile activists and others – Times of India

Iran government-backed hackers have targeted several high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues. According to Human Rights Watch (HRW), the ongoing social engineering and credential phishing campaign has reportedly been carried out via WhatsApp. The HRW attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as TA453, Phosphorus and Charming Kitten. The Iran-backed hacking group was first identified by cybersecurity firm Mandiant in September 2022.
In its analysis, conducted alongside Amnesty International’s Security Lab, HRW identified 18 victims who had been targeted as part of the same campaign, and 15 of these targets confirmed that they had received the same WhatsApp messages between September 15 and November 25.
How APT42 operates
As per security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices. In addition, APT42 infrequently uses Windows malware to complement their credential harvesting and surveillance efforts.
APT42 operations broadly fall into three categories
Credential harvesting: APT42 frequently targets corporate and personal email accounts through highly targeted spear-phishing campaigns with enhanced emphasis on building trust and rapport with the target before attempting to steal their credentials. Mandiant also has indications that the group leverages credential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.
Surveillance operations: As of at least late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.

Malware deployment: While APT42 primarily prefers credential harvesting over activity on disk, several custom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools into their operations when the objectives extend beyond credential harvesting.
Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.
Also watch: