December 5, 2022 12:00AM EST
Available In English العربية Françaisفارسی
Iran: State-Backed Hacking of Activists, Journalists, Politicians
Ongoing Phishing Campaign Imperils Independent Groups
Google apps are displayed on a smartphone. © 2022 Onur Dogman / SOPA Images/Sipa USA
(Beirut) – Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said today.
An investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as Charming Kitten. The technical analysis conducted jointly by Human Rights Watch and Amnesty International’s Security Lab identified 18 additional victims who have been targeted as part of the same campaign. The email and other sensitive data of at least three of them had been compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.
“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”
For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.
Various security companies have reported on phishing campaigns by APT42 targeting Middle East-focused researchers, civil society groups, and dissidents. Most of them identify APT42 based on targeting patterns and technical evidence. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT 42 to Iranian authorities. Identifying and naming a threat actor helps researchers to identify, track, and link hostile cyber activity.
In October 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon, inviting them to a conference. The joint investigation revealed that the phishing links sent via WhatsApp, once clicked, directed the target to a fake login page that captured the user’s email password and authentication code. The research team investigated the infrastructure that hosted the malicious links and identified additional targets of this ongoing campaign.
Human Rights Watch and Amnesty International contacted the 18 high profile individuals identified as targets of this campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at some point between September 15 and November 25, 2022.
On November 23, 2022, a second Human Rights Watch staff member was also targeted. They received the same WhatsApp messages from the same number that contacted other targets.
Social engineering and phishing attempts remain key components of Iranian cyberattacks. Since 2010, Iranian operators have targeted members of foreign governments, militaries, and businesses, as well as political dissidents and human rights defenders. Over time, these attacks have become more sophisticated in the ways they execute what is known as “social engineering.”
According to Mandiant, a US-based cybersecurity company, APT42 has been responsible for several phishing attacks in Europe, the US, and the Middle East and North Africa region. On September 14, 2022, the US Office of Foreign Asset Control at the Treasury Department imposed sanctions on individuals affiliated with the group.
The investigation also revealed inadequacies in Google’s security protections to safeguard its users’ data. Individuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or send a push message to the Gmail app on their phone.
Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International research team informed them and assisted them in removing the attacker’s connected device.
Google should promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks, Human Rights Watch said.
“In a Middle East region rife with surveillance threats for activists, it's essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region's embattled activists, journalists, and civil society leaders,” Ghattas said.
Technical Analysis of the Phishing Campaign
On October 18, 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received a message on WhatsApp that claimed to be from a Lebanon-based think tank and invited the recipient to a conference. The invitation used the same format as previous invitations from the think tank, indicating a sophisticated level of social engineering. The person impersonated by the threat actor group APT42 in the WhatsApp messages previously worked for the think tank.
The Human Rights Watch staff member forwarded these messages to the information security team, which confirmed they were a phishing attempt. If the person had clicked on the cutly[.]biz link, they would have been redirected to the URL https://sharefilesonline[.]live/xxxxxx/BI-File-2022.html which hosts a fake Microsoft login page.
Screenshot of the fake login page hosted on sharefilesonline[.]live (October 2022)Click to expand Image
Screenshot of the fake login page hosted on sharefilesonline[.]live (October 2022)
The cutly[.]biz domain is a custom URL shortener deployed and managed by the attacker’s group, designed to mimic the name of the legitimate URL shortener cutt.ly.
The phishing link sent to the Human Rights Watch staff member included a random path of five characters, both lowercase letters and numbers, which represents around 6 million combinations, making it possible to enumerate all of the existing paths on the attacker’s infrastructure to find other existing links. This enumeration led to the discovery of 44 valid URLs, with many of them redirecting to a phishing page that displayed the email address of the target. The phishing pages were specifically crafted to mimic Microsoft, Google, or Yahoo login pages.
Screenshot of a phishing page imitating the Yahoo login page (October 2022).Click to expand Image
Screenshot of a phishing page imitating the Yahoo login page (October 2022).
Further investigation showed that the phishing kit allowed the bypass of multi-factor authentication methods other than a hardware security key. Multi-factor authentication (MFA), often called two-factor authentication, or 2FA, requires a second means of authentication, in addition to a password. Common second factors include a temporary code delivered by SMS, a temporary code given by a smartphone application (such as FreeOTP or Google Authenticator), and a code generated by a Hardware Security Key (like Yubikey or Solo Key). Through different technical means, it is possible to create phishing toolkits that bypass MFA when the temporary code is delivered by SMS or by a smartphone application. It is not possible at present for a phishing kit to bypass multi-factor authentication using hardware keys.
The WhatsApp chats of those who were known to be successfully targeted reveal that the attackers were repeatedly engaging with the targets as they clicked through the phishing links. After entering their credentials on the phishing page, targets were prompted to enter a code on the 2FA bypass page, which the attackers used to gain access to their email accounts. Phishing kits with MFA bypass features have been common since at least 2018, and Amnesty International’s Security Lab has documented multiple usages of such kits against human rights defenders in 2018 and 2020.
Screenshot of the multi-factor authentication bypass page (October 2022)Click to expand Image
Screenshot of the multi-factor authentication bypass page (October 2022).
Targeting of Journalists and Human Rights Defenders by APT42
In addition to the two Human Rights Watch staff members, Human Rights Watch and Amnesty International identified 18 other email accounts targeted as part of the same campaign, including six journalists.
Human Rights Watch and Amnesty International contacted all of the individuals and 15 responded. They confirmed they were all targeted with the exact same social engineering approach during the period between September 15 and November 25, 2022. Out of the 20 targets, at least three had been compromised by the threat actor. Confirming the compromise led the research team to additional information about the data exfiltration process. Human Rights Watch also supported the journalists by disconnecting the attackers from their accounts and re-securing them.
The compromise gave the attackers access to the targets’ emails, cloud storage drives, calendars, and contacts. In at least one case, the attacker synced the target’s mailbox and performed a Google Takeout, a service that exports all of an account’s activity and information including web searches, payments, travel and locations, ads clicked on, YouTube activity, and additional account information. It is the most comprehensive and intrusive method to export data in a Google account.
Google’s security activity revealed that the attackers had accessed the targets’ accounts almost immediately after the compromise and that they had access for about five days until Human Rights Watch informed the targets and helped remove the attacker’s connected device.
Human Rights Watch
-------------------------------
No comments:
Post a Comment