Divergences in APT42 Targets Signal New Intelligence Requirements from Iran

Category: Threat Actor Activity | Industries: Aerospace, Education, Real Estate, Research - Medical, Travel | Level: Strategic | Source: Proofpoint

Proofpoint researchers noticed a recent change in victimology and tactics, techniques, and procedures (TTPs) of cyberespionage group, APT42 (aka Phosphorus, Charming Kitten, and TA453). "A hallmark of TA453’s email campaigns is that they almost always target academics, researchers, diplomats, dissidents, journalists, human rights workers, and use web beacons in the message bodies before eventually attempting to harvest a target’s credentials." APT42's operations are aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC), thus deviations in their attack signify new intelligence needs from the IRGC. New verticals targeted include medical researchers, engineers in aerospace, realtors, and members of travel agencies.

From the perspective of the group's TTPs historically, APT42 operators would carefully build a rapport with their target, often fostering the relationship for weeks before sending a credential-harvesting phishing link. However, new additions to their arsenal involve the incorporation of compromised credentials in attacks, malware backdoors, and hostile phishing lures. "Proofpoint judges with moderate confidence that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force." The deployed malware backdoor is recognized as a PowerShell backdoor GhostEcho/CharmPower and is "used to deliver follow-on espionage-focused capabilities" based on research from CheckPoint. An assessment of APT42's outlier campaigns suggests the intelligence collected will support IRGC's economic goals in addition to potentially hostile and kinetic operations.

‍