Analysis Summary

The activities of an Iranian state-sponsored threat actor were made public by Meta Platforms on Friday, following Microsoft, Google, and OpenAI. According to the company, the threat actor used a set of WhatsApp accounts to attempt to target people in Israel, Palestine, Iran, the United Kingdom, and the United States.

Originating in Iran, the activity cluster seemed to have concentrated on public figures, political and diplomatic personnel, including certain members of the administrations of President Biden and former President Trump. The massive social media platform identified APT42, also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda, as the nation-state actor responsible for the incident. It is believed to be associated with the Islamic Revolutionary Guard Corps (IRGC) of Iran.

The malicious group is well-known for using cunning social engineering enticements to spear-phish targets of interest with malware to obtain login credentials. The threat actor targeted a prominent Jewish person to infect their computer with malware known as AnvilEcho, according to information revealed earlier this week.

While the attempts are considered ineffective, Meta reported that a small group of WhatsApp accounts pretended to be technical help for AOL, Google, Yahoo, and Microsoft. Afterwards, the accounts were disabled. This event coincides with the official accusation by the U.S. government against Iran for trying to get political intelligence and spread propaganda to stir division among Americans, undercut confidence in the democratic process, and damage U.S. elections.

Impact

• Credential Theft
• Identity Theft
• Cyber Espionage

Remediation

• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the APT42 group to target dissidents.
• Educate potential targets on the risks of engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.