APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and orgs
APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We confidently estimate that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization’s operational mandates and priorities.
The full published report covers APT42’s recent and historical activity dating back to at least 2015, the group’s tactics, techniques, procedures, targeting patterns, and elucidates historical connections to APT35. APT42 partially coincides with public reporting on TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force), Phosphorus (Microsoft), and Charming Kitten (ClearSky and CERTFA).
APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with its victims. These techniques allow APT42 to access their personal or corporate email accounts or install Android malware on their mobile devices. In addition, APT42 infrequently uses Windows malware to complement its credential harvesting and surveillance efforts.
APT42 operations broadly fall into three categories:
Credential harvesting: APT42 frequently targets corporate and personal email accounts through highly targeted spear-phishing campaigns emphasizing building trust and rapport with the target before attempting to steal their credentials. Mandiant also has indications that the group leverages credential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.
Surveillance operations: As of at least late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.
Malware deployment: While APT42 primarily prefers credential harvesting over disk activity, several custom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools into its operations when the objectives extend beyond credential harvesting.
Since early 2015, Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused partly by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.
The targeting patterns for APT42 operations are similar to those of other Iranian cyber espionage actors, with a large segment of its activity focused on the Middle East region. However, unlike other suspected IRGC-affiliated cyber espionage groups that have focused on targeting the defense industrial base or conducting large-scale collection of personally identifiable information (PII), APT42 primarily targets organizations and individuals deemed opponents or enemies of the regime, explicitly gaining access to their personal accounts and mobile devices. The group has consistently targeted Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad.
Some APT42 activity indicates the group alters its operational focus as Iran’s priorities evolve, to include targeted operations against the pharmaceutical sector at the onset of the COVID-19 pandemic in March 2020 and pursuing domestic and foreign-based opposition groups before an Iranian presidential election. This indicates that APT42 is trusted by the Iranian government to react quickly to geopolitical changes by adjusting their flexible operations to targets of operational interest to Tehran.
Mandiant further highlights open-source reporting from Microsoft claiming a connection between intrusion activity clusters that generally align with APT42 and UNC2448, an Iran-nexus threat actor known for widespread scanning for various vulnerabilities, the use of the Fast Reverse Proxy tool, and reported ransomware activity using BitLocker. Notably, Mandiant has yet to observe technical overlaps between APT42 and UNC2448.
In November 2021, Microsoft reported that “Phosphorus” had targeted Fortinet FortiOS SSL VPN and unpatched on-premises Exchange servers globally with the intent of deploying ransomware such as BitLocker on vulnerable networks, aligning with activity we track as UNC2448. The previous reporting on Phosphorus generally aligned with APT42’s credential harvesting and spear-phishing operations.
While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO. We confidently assess that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology, and Afkar System, based on open-source information and operational security lapses by the threat actors. Public leaking campaigns from the Lab Dookhtegan Telegram account further allege these companies are responsible for threat activity aligned with UNC2448 and operate on behalf of the IRGC-IO.
APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the United States, the United Kingdom, and Israel, working on Iran-related projects. Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their safety.
We do not anticipate significant changes to APT42’s operational tactics and mandate, given the long history of activity and imperviousness to infrastructure takedowns and a media spotlight on operational security failures. Nevertheless, the group has displayed its ability to rapidly alter its operational focus as Iran’s priorities change with evolving domestic and geopolitical conditions. We confidently assess that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.