Iran-backed hackers linked to espionage campaign targeting journalists and activists

Hackers backed by the Iranian government targeted human rights activists, journalists, diplomats and politicians working in the Middle East during an ongoing social engineering and credential phishing campaign, according to Human Rights Watch.

In an analysis published on Monday, Human Rights Watch said it had attributed the espionage campaign to APT42, an Iran-backed hacking group first identified by cybersecurity firm Mandiant in September. Mandiant said APT42 -- also referred to as TA453, Phosphorus and Charming Kitten -- supports Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts and has launched nore than 30 confirmed operations against various nonprofit, education and government targets globally since 2015.

Human Rights Watch said it first became aware of APT42’s latest espionage campaign after one of its employees received suspicious messages on WhatsApp from someone pretending to work for a think tank based in Lebanon. The advocacy group found that a link included in the message directed the target to a fake login page that captured their email password and multi-factor authentication code.

In its analysis, conducted alongside Amnesty International’s Security Lab, Human Rights Watch identified 18 additional victims who had been targeted as part of the same campaign, and 15 of these targets confirmed that they had received the same WhatsApp messages between September 15 and November 25. On November 23, a second Human Rights Watch staff member received the same WhatsApp messages from the same number that contacted other targets.

For the three people whose accounts were known to be compromised -- a correspondent for a major U.S. newspaper, a women’s rights defender based in the Gulf region and an advocacy consultant for Refugees International based in Lebanon -- the attackers gained access to emails, cloud storage drives, contacts and calendars. In at least one case, the attackers also performed a Google Takeout, a service that exports all of an account’s activity and information, including web searches, payments, travel and locations, ads clicked on, YouTube activity and additional account information.

“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at Human Rights Watch. “This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region.”

In light of its investigation, Human Rights Watch is calling on Google to strengthen its Gmail account security warnings to protect better its most at-risk users, including journalists and human rights defenders, after it uncovered “inadequacies” in Google’s security protections.

“Individuals successfully targeted by the phishing attack told Human Rights Watch that they did not realize their Gmail accounts had been compromised or a Google Takeout had been initiated, in part because the security warnings under Google’s account activity do not push or display any permanent notification in a user’s inbox or send a push message to the Gmail app on their phone,” Human Rights Watch said in its analysis.

"Google’s security activity revealed that the attackers accessed the targets’ accounts almost immediately after the compromise, and they maintained access to the accounts until the Human Rights Watch and Amnesty International research team informed them and assisted them in removing the attacker’s connected device."

Google spokesperson Kimberly Samra told TechCrunch that Google implements protections for high-risk users so their Google accounts are “protected against threats against Google services, or on other platforms as seen in this case."

“Some of these protections include our Advanced Protection Program (APP) and 2-Step Verification (2SV) auto enrollments,” Samra said. “Google also remains committed to threat collaboration and sharing our ongoing research to raise awareness on bad actors across the industry, as it helps to more quickly respond to attacks and protect online users.”