Analysis Summary

New cyberattacks against email accounts connected to the US presidential election, as well as prominent military and other political targets in Israel, have been initiated by a threat group affiliated with Iran tracked as APT42.

The action is in revenge for Israel's continuing military assault in Gaza and the US's support for it. It primarily takes the form of socially engineered phishing attempts, and it is anticipated to continue as tensions in the region grow. Google's Threat Analysis Group (TAG) discovered and stopped several attempts by APT42, also known as Charming Kitten, to access the personal email accounts of roughly a dozen people connected to both President Biden and former President Trump. The action targeted people connected to the corresponding campaigns as well as current and past US government officials.

Furthermore, the threat group is unrelenting in its attempts to breach the private accounts of people connected to Kamala Harris, the US vice president at the moment, and other connected parties, including campaign and government personnel. The revelation coincides with the disclosure that a bot service named "IntelFetch" operating on Telegram has been aggregating credentials that have been compromised and linked to the Democratic Party and DNC websites.

Apart from attacks linked to the election, researchers have also been monitoring multiple phishing campaigns directed toward Israeli military and political targets, such as individuals with ties to the defense industry, academics, NGOs, and diplomats. These campaigns have increased dramatically since April. Recently, Google removed several Google Sites pages that were set up by the organization posing as a petition from the official Jewish Agency for Israel, urging the Israeli government to mediate a resolution to the conflict.

APT42 also exploited Google Sites in an April phishing campaign that targeted civil society, academic institutions, the Israeli military, defense, and diplomacy by posing as a journalist and requesting comments on recent airstrikes in emails sent to an aerospace executive and former senior Israeli military officials. Google has methodically prevented these attackers from abusing Google Sites in over 50 identical attacks over the past six months.

A phishing bait including an attacker-controlled Google Sites link that brought the victim to a phony Google Meet landing page was part of one such campaign; additional lures utilized OneDrive, Dropbox, and Skype. APT42 has employed a variety of social engineering techniques in its phishing attempts, which are indicative of its geopolitical positioning. It is unlikely that the activities will cease soon.

Impact

• Unauthorized Access
• Exposure of Sensitive Data
• Identity Theft
• Credential Theft

Indicators of Compromise

Domain Name

• accredit-navigation.online
• panel-short-check.live
• check-pabnel-status.live
• smaaaal.cfd
• click-choose-figured.cfd
• short-ion-per.live
• checking-paneling.live

IP

• 49.13.194.118
• 91.107.150.184

MD5

• 2b756515400d7e3b6e21ee3a83f313c8
• 9b67ef980e345153a07848c8677bda3f
• 57e45ac69ef21d1692b8cbd82498f574
• 1cea34e748cc43cdc7724684cebf409f
• 39556dc87f9a24405e73e6dd46d34bc7
• 6d8e74c2e5bfbab78a1e9ac61abaa124
• 56515c48f82475e7bb6a26b027a459d7
• 157284a93f3c5f488f4559db3537daea
• b6f02f67e2b5d2c81bc502d24258a1d5

SHA-256

• c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32
• bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527
• baac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849
• 0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60
• f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060
• 82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a
• 89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c
• c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3
• 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156

SHA-1

• 7a883f5700b2ecf75667d9df4a37a5c35ba12ff6
• 4480a9c08a687300057808057b81656b448dbf21
• b940a1fd9b4d601c17eeb2953677925e089928a2
• cce4761750a2549dc5bb7e377717dd4ea40420e5
• e8ce99f3b7c5163fc8ab793a7dcfbe2cdf1a21a7
• 5c7432e2186a067e007258eadc8b6c8675f5cf86
• e044cbf7b468f548a4dc9c46992bfcdd0f298acb
• 5a892c6cf26f90220d279d878206bf73f933f4dc
• 7e564f5f6bb98f629789565a737738ea66330f74

URL

• https://n9.cl/4xgro
• https://panel-short-check.live/PhyfkFQX
• https://check-pabnel-status.live/Gcollection/Ref/CkliPwaM
• https://check-pabnel-status.live/Gcollection/Password
• https://panel-short-check.live/ZZqt3LYD
• https://check-pabnel-status.live/Lcollection/Ref/F53OQQkE
• https://check-pabnel-status.live/Lcollection/Password
• https://meetroomonlin1925.w3spaces.com/
• https://smaaaal.cfd/Wp59tqKU
• https://click-choose-figured.cfd/Gallery/Ref/FSaEM5gG
• https://click-choose-figured.cfd/Gallery/Password
• https://short-ion-per.live/08EFNZ1
• https://checking-paneling.live/aliasauthG/Password
• https://checking-paneling.live/aliasauthG/autoref/vNSX6c2m

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the APT42 group to target dissidents.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.