If you’re holding important data, Iran is probably trying spearphish it

September 30, 2024 TH Author

US and UK national security agencies are jointly warning about Iranian spearphishing campaigns, which remain an ongoing threat to various industries and governments.

A security advisory published late on Friday says that high-value individuals are being targeted with social engineering attempts to harvest credentials for their personal accounts.

If successful, the attackers rummage around whatever service they’ve gained access to in search of data which the Islamic Revolutionary Guard Corps (IRGC) can use in follow-on information operations.

Government officials, journalists, activists, and senior think tank researchers are among those considered to be at acute risk of being targeted, although the tactics on display aren’t particularly novel.

Attacks often involve the impersonation of known contacts of the target, including colleagues, trusted organizations such as email service providers, or even friends and family members.

They may attempt to play off a target’s ego, impersonating journalists or conferences, inviting them for interviews and to give major public addresses, for example.

“The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials,” the advisory [PDF] reads.

“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error.”

Likely Iranian targets are encouraged to keep an eye out for the usual signs of compromise, such as rogue account sign-ins from foreign IP addresses, email forwarding rules, unknown device connections to accounts, and the like.

For defenders, the advisory is chock-full of indicators of compromise and known malicious domains used by the IRGC to add to their block lists.

The usual advice applies: Be wary of unsolicited offers via email and messaging apps, be extra cautious when determining the source of an email and its content, don’t click on links that are even slightly suspicious, and don’t download files from file-sharing sites unless you’re absolutely certain the link is legit. Basic stuff, really.

Paul Chichester, operations director at the UK’s National Cyber Security Centre (NCSC), which co-drafted the advisory, said: “The spearphishing attacks undertaken by actors working on behalf of the Iranian government pose a persistent threat to individuals with a connection to Iranian and Middle Eastern affairs.

“With our allies, we will continue to call out this malicious activity, which puts individuals’ personal and business accounts at risk, so they can take action to reduce their chances of falling victim.

“I strongly encourage those at higher risk to stay vigilant to suspicious contact and to take advantage of the NCSC’s free cyber defense tools to help protect themselves from compromise.”

Spotlight on Iran

All of this information was released around the same time on Friday that the Department of Justice (DoJ) confirmed the indictment of three Iranian nationals over their alleged roles in the IRGC’s digital break-in at Donald Trump’s 2024 re-election campaign.

Can you guess how they got in?

After “several years” of attacking US government officials, the trio allegedly got their hands on key Trump 2024 documents back in May by socially engineering and spearphishing their way into the personal inboxes of campaign workers.

Court documents don’t name anyone specifically, but we know among the compromised campaign workers were one attorney, a former Department of State and Trump advisor, a one-time political consultant, and two current Trump campaign officials.

Iran has cemented itself as a core threat in cyberspace during the past year as Western intelligence agencies ramped up messaging around the threat the country presents, and shared details on more incidents its cyberspies allegedly caused.

From attacks on US water facilities to various incidents of targeting US government officials during an election year, it’s clear from the intel being shared by governments that Iran is just as serious a threat as Russia or China.

China is routinely referred to as the current epoch-defining threat by intelligence officials. Meanwhile, experts have pinpointed Russia and Iran as posing the greatest threat to elections in 2024, of which there will be more than 50 across the world this year.

One former Air Force intelligence analyst told The Register in May that she believed Iran was the most likely culprit behind a destructive cyberattack against the Municipal Water Authority of Aliquippa which occured at the end of last year. ®