Proofpoint APT threat researchers have observed #TA453 (AKA Charming Kitten) using new tactics and tools to complicate detection efforts and conduct cyber espionage operations against its targets of interest. #CharmingKitten #APT42 https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware?utm_source=twitter&utm_medium=social&utm_source=social_organic&utm_social_network=twitter&utm_campaign=threat_research&utm_post_id=381f2172-cb7f-4d7a-bc5f-f4e2eeee72cb

What happens when a TA’s consistent TTPs change? Today we (#CristaNeedsAMastadon and I) released a blog detailing examples of weird and wacky techniques and targeting from #TA453.

https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations

With the current situation (#MahsaAmini) in Iran, I think it’s important to note that the Government of Iran (GOI) has had an intelligence interest in Gender Studies and Women’s Rights experts since AT LEAST 2021.

If we want to see how high they rank in interest, we just need to look at how they likely deployed the same malware (GhostEcho/CharmPower) against some of those researchers and activists that they did against Foreign Government embassy personnel.

When we pivot to look at Samantha, you see a persona that’s targeted MENA energy, a US based academic that’s an Iranian HVT, and senior US & European government officials, all using confrontational lures not typically seen from TA453.

Is this an actor gone rogue, willing to do anything to successfully phish at any cost? Maybe. Is it the intern or conscriptee just trying to meet a quota?

We don’t know but it’s definitely interesting to track.

We talked about confrontational conversational phishing, but nothing really says confrontational like compromising multiple email accounts just to deliver a JPEG of intimidation to a target. That, along with the compromise of a close affiliate of one of the former officials targeted in the IRGC Murder For Hire plot, leads us to believe that a subset of TA453 activity is more aggressive than we’ve seen historically.

Please go read it! Let us know what you think. #APT #Iran #IRGC #APT42 #Phosphorus #charmingKitten

Journalist Pierre Alonso from Liberation, was one of the targets we identified as part of the #APT42 #CharmingKitten campaign. Check out his 🧵 where he shares the attackers WhatsApp messages and provide more context to why he might have been targeted.
https://twitter.com/pierre_alonso/status/1600406879967903744

Iran APT42 hacking group targets journalists, activists in phishing campaign https://www.cybercareers.blog/2022/12/iran-apt42-hacking-group-targets-journalists-activists-in-phishing-campaign/
#Iran #APT42 #hacking #phishing #cyber #cybersecurity #infosec

RT @AbirGhattas@twitter.com

#ICYMI - #Iran state-backed actor #APT42 targeted & compromised journos, activists and politicians in the #MENA region. Our technical analysis explains what did they do after compromise and also reveals inadequacies in @Google@twitter.com’s security protections to safeguard its users’ data. https://twitter.com/AbirGhattas/status/1599668476259377152

🐦🔗: https://twitter.com/AbirGhattas/status/1600089265978818560

#Hackergruppe #APT42: 

Angriffe gegen #Journalist:innen und #Menschenrechtsaktivist:innen.

Mutmaßlich im Auftrag der Iranischen Revolutionsgarden haben Hacker:innen mehr als 20 Journalist:innen und Mitarbeitende von NGOs angegriffen und ausgespäht. Dabei konnten sie auch sensible Daten abgreifen. ...

https://netzpolitik.org/2022/hackergruppe-apt42-angriffe-gegen-journalistinnen-und-menschenrechtsaktivistinnen/#netzpolitik-pw

#Hackergruppe #APT42: 

Angriffe gegen #Journalist:innen und #Menschenrechtsaktivist:innen.

Mutmaßlich im Auftrag der Iranischen Revolutionsgarden haben Hacker:innen mehr als 20 Journalist:innen und Mitarbeitende von NGOs angegriffen und ausgespäht. Dabei konnten sie auch sensible Daten abgreifen. ...

https://netzpolitik.org/2022/hackergruppe-apt42-angriffe-gegen-journalistinnen-und-menschenrechtsaktivistinnen/#netzpolitik-pw

⚠ #HRW and #Amnesty investigation reveals #Iran gov't backed hackers have targeted activists, journalists, & researchers working on Middle East issues with phishing attacks.

@humanrightswatch infosec team attributes this campaign to state-backed threat actor #APT42.

I spent the past couple of weeks with @tek and @donncha investigating an ongoing social engineering and phishing campaign that impersonated a think tank based in #Lebanon to trick its targets and invite them to a summit.

2 HRW staff were targeted, and after investigating the infrastructure used, we found 18 other targets. at least 3 targets were successfully compromised by #APT42

Read the full report and the technical analysis on HRW's website 👇

https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians

Recorded Future published a report on a #phishing and follow-on credential theft attack highly likely led by an #Iran nexus threat activity group targeted against the US-based Washington Institute think tank. While we track this group under the temporary designator TAG56, it depicts many of the known TTPs associated with #APT42 and has overlaps in victimology: https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank