A threat group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) has launched new cyberattacks targeting email accounts related to the upcoming US presidential election, as well as key military and other political targets in Israel. The activity — which is primarily taking the form of socially engineered phishing campaigns — comes in retaliation for Israel’s ongoing military campaign in Gaza and US support for it, and is expected to continue as tensions in the region rise.

Google’s Threat Analysis Group (TAG). detected and blocked “numerous” attempts by Iranian-backed APT42perhaps best known as Charming catto log into the personal email accounts of about a dozen individuals associated with President Biden and former President Trump, according to a blog post published yesterday. Targets of the activity included current and former U.S. government officials and individuals associated with the respective campaigns.

Additionally, the threat group continues to persist in its attempts to compromise the personal accounts of individuals associated with current U.S. Vice President and presidential candidate Kamala Harris and former President Trump, “including current and former government officials and individuals associated with the campaign,” the post said.

The discovery comes after a Telegram-based bot service called “IntelFetch” was also discovered. merging compromised credentials linked to the DNC and Democratic Party websites.

Charming cat flies around Israeli targets

In addition to the election-related attacks, TAG researchers have also tracked several phishing campaigns targeting Israeli military and political targets, including people with connections in the defense sector, as well as diplomats, academics, and NGOs. These campaigns have increased significantly since April, the report said.

Google recently removed several Google Sites pages created by the group posing as a petition from the legitimate Jewish Agency for Israel calling for Israeli government to mediate to end the conflict,” the message said.

Charming Kitten also abused Google Sites in an April phishing campaign targeting the Israeli military, defense, diplomats, academics, and civil society. The campaign sent emails posing as journalists asking for commentary on recent airstrikes. The emails targeted former senior Israeli military officials and an aerospace executive.

“Over the past six months, we have systematically disrupted these attackers’ ability to abuse Google Sites in more than 50 similar campaigns,” Google TAG said.

One of these campaigns consisted of a phishing scam with an attacker-controlled Google Sites link that took the victim to a fake Google Meet homepage. Other scams included OneDrive, Dropbox, and Skype.

New and ongoing APT42 phishing activity

In other attacks, Charming Kitten has engaged in a wide range of social engineering tactics in phishing campaigns that reflect its geopolitical stance. The activity is unlikely to stop in the near future, according to Google TAG.

A recent campaign against Israeli diplomats, academics, NGOs and political entities came from accounts hosted by various email service providers, they found. While the messages contained no malicious content, Google TAG suspected they were “likely intended to elicit engagement from the recipients before APT42 attempted to compromise the targets,” and Google suspended Gmail accounts associated with the APT.

A separate campaign in June targeted Israeli NGOs using a benign PDF email attachment that posed as a legitimate political entity and contained a shortened URL link leading to a phishing kit landing page designed to harvest Google credentials. Indeed, APT42 often uses phishing links embedded directly in the body of the email or as a link in an otherwise benign PDF attachment, the researchers noted.

“In such cases, APT42 would approach its target with a social engineering lure to set up a video meeting and then link to a landing page where the target was asked to log in and redirected to a phishing page,” the message said.

According to Google TAG, another APT42 campaign template sends legitimate PDF attachments as part of a social engineering scheme to build trust and encourage the target to use other platforms, such as Signal, Telegram, or WhatsApp. This is likely a way to send a phishing kit to collect login credentials.

Politically motivated attacks continue

All this is a usual hunt for APT42/Charming Kitten, which is known for politically motivated cyberattacks. Lately, it has been extremely active against Israel, the US and other global targets since Israel’s military campaign in Gaza in retaliation for the October 7 Hamas attack in Israel.

Overall, Iran has a long history of responding to regional tensions with cyberattacks against Israel and the US. In the past six months alone, the US and Israel accounted for approximately 60% of APT42’s known geotargeting, according to Google TAG. More activity is expected following Israel’s recent assassination of Hamas’ top leader on Iranian soil, as experts believe cyberspace will remain a primary battlefield for Iranian-backed threat actors.

“APT42 is an advanced, persistent threat actor, and they show no signs of slowing down their efforts to target users and deploy new tactics,” Google TAG said. “As hostilities between Iran and Israel increase, we can expect to see APT42 conduct more campaigns there.”

The researchers also included a list of Indicators of Compromise (IoCs) in their post, including domains and IP addresses known to be used by APT42. Potentially targeted organizations should also remain vigilant for the various social engineering and phishing tactics used by the group in its recently discovered threat campaigns.