Skip to content

Iran-backed hacking group targeted Trump and Biden campaigns among others

  • by
  • 2 min read

Iran-based threat group APT42 was caught carrying out a hacking campaign targeting the personal email accounts of individuals associated with the upcoming US elections. The attacks occurred in May and June and targeted over a dozen individuals, including former US government officials and people affiliated with President Biden and former President Trump’s election campaigns.

The campaign was discovered by Google’s Threat Analysis Group (TAG), which blocked multiple attempts to log in to the personal email accounts of targeted individuals. The targeted accounts have been secure, with government-backed attacker warnings sent to them. Google also reported the malicious activity to relevant law enforcement authorities in early July and continues cooperating with them.

According to TAG’s report, attackers have been exploiting popular services such as Google Sites, Google Meet, OneDrive, Dropbox, and Skype as part of the campaign. In the last six months alone, the US and Israel accounted for nearly 60 per cent of APT42’s known geographic targeting, including former Israeli military officials.

APT42 targets by known region. | Source: Google TAG

The campaigns involve sending malicious links in emails or attached PDF files. The attackers then use social engineering tactics to get victims into video calls and send links to phishing pages. Google has disrupted over 50 such campaigns in the last six months.

Attackers also use several phishing toolkits, including the GCollection credential harvesting tool, LCollection or YCollection, targeting Google, Hotmail, and Yahoo users. Another toolkit found in use was DWP, a browser-in-the-browser phishing kit.

They also understand the email providers targeted in the campaign, often adding support for targeting multi-factor authentication protections in their toolkits. Once compromised, the attackers quickly change access mechanisms by changing the recovery email address or adding apps that don’t support multi-factor authentication.

APT42 is a sophisticated threat actor associated with the Islamic Revolutionary Guard Corps (IRGC) intelligence agency. The threat group shows no signs of stopping and continues to target users with novel tactics.

In the News: AutoCanada hit by cyberattack, investigation underway

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>