Ongoing phishing campaign threatens independent groups in the region.
This statement was originally published on hrw.org on 5 December 2022.
Ongoing phishing campaign imperils independent groups
Hackers backed by the Iranian government have targeted two Human Rights Watch staff members and at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign, Human Rights Watch said today.
An investigation by Human Rights Watch attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as Charming Kitten. The technical analysis conducted jointly by Human Rights Watch and Amnesty International’s Security Lab identified 18 additional victims who have been targeted as part of the same campaign. The email and other sensitive data of at least three of them had been compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon.
“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”
For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.
Various security companies have reported on phishing campaigns by APT42 targeting Middle East-focused researchers, civil society groups, and dissidents. Most of them identify APT42 based on targeting patterns and technical evidence. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT42 to Iranian authorities. Identifying and naming a threat actor helps researchers to identify, track, and link hostile cyber activity.
In October 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon, inviting them to a conference. The joint investigation revealed that the phishing links sent via WhatsApp, once clicked, directed the target to a fake login page that captured the user’s email password and authentication code. The research team investigated the infrastructure that hosted the malicious links and identified additional targets of this ongoing campaign.
Human Rights Watch and Amnesty International contacted the 18 high profile individuals identified as targets of this campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at some point between September 15 and November 25, 2022.
On November 23, 2022, a second Human Rights Watch staff member was also targeted. They received the same WhatsApp messages from the same number that contacted other targets.
Social engineering and phishing attempts remain key components of Iranian cyberattacks. Since 2010, Iranian operators have targeted members of foreign governments, militaries, and businesses, as well as political dissidents and human rights defenders. Over time, these attacks have become more sophisticated in the ways they execute what is known as “social engineering.”
According to Mandiant, a US-based cybersecurity company, APT42 has been responsible for several phishing attacks in Europe, the US, and the Middle East and North Africa region. On September 14, 2022, the US Office of Foreign Assent Control at the Treasury Department imposed sanctions on individuals affiliated with the group.
The investigation also revealed inadequacies in Google’s security protections to safeguard its users’ data. Individuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or send a push message to the Gmail app on their phone.
Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International research team informed them and assisted them in removing the attacker’s connected device.
Google should promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks, Human Rights Watch said.
“In a Middle East region rife with surveillance threats for activists, it’s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region’s embattled activists, journalists, and civil society leaders,” Ghattas said.
Technical Analysis of the Phishing Campaign
On October 18, 2022, a Human Rights Watch staff member working on the Middle East and North Africa region received a message on WhatsApp that claimed to be from a Lebanon-based think tank and invited the recipient to a conference. The invitation used the same format as previous invitations from the think tank, indicating a sophisticated level of social engineering. The person impersonated by the threat actor group APT42 in the WhatsApp messages previously worked for the think tank.
The Human Rights Watch staff member forwarded these messages to the information security team, which confirmed they were a phishing attempt. If the person had clicked on the cutly[.]biz link, they would have been redirected to the URL https://sharefilesonline[.]live/xxxxxx/BI-File-2022.html which hosts a fake Microsoft login page.
