📌Impersonation Tactics: APT42 has been impersonating well-known news outlets and think tanks, such as The Washington Post, The Economist, and The Jerusalem Post, to target journalists, researchers, and activists in Western countries and the Middle East. This campaign, which began in 2021 and is still ongoing, involves creating fake website links to harvest login credentials from victims.
📌Minimal Footprint: The methods deployed by APT42 are designed to leave a minimal footprint, making the detection and mitigation of their activities more challenging for network defenders. This stealthiness is achieved through the use of typosquatting and social engineering techniques.
📌Typosquatting and Social Engineering: APT42 often uses typosquatting, acquiring web domains that look real but contain small errors or alterations, to create malicious links. These links redirect recipients to fake Google login pages. An example provided is “washinqtonpost[.]press,” where a "q" replaces the "g" in "Washington".
📌Targeting Specific Individuals: In 2023, APT42 reportedly impersonated a senior fellow with the U.K. think tank the Royal United Services Institute (RUSI) while attempting to spread malware to a nuclear security expert at a U.S.-based think tank focused on foreign affairs.
📌Cloud Environment Attacks: Between 2022 and 2023, APT42 was observed exfiltrating documents and sensitive information from victims’ public cloud infrastructure, such as the Microsoft 365 environment. These attacks targeted legal services companies and nonprofits in the U.S. and the U.K.
📌Overlap with Other Operations: APT42's activities overlap with other Iran-linked operations labeled TA453, Charming Kitten, and Mint Sandstorm. This indicates a broader pattern of cyber espionage activities linked to Iranian state interests