Google has joined Microsoft in publishing information about Iran’s cyber influence activities, following a recent surge in attacks that led to the leak of data from Trump’s re-election campaign.

The tech giant’s Threat Analysis Group (TAG) confirmed that Iran was behind the incident, specifically the APT42 group which is part of the Islamic Revolutionary Guard Corps (IRGC).

It also said that numerous other attacks had been thwarted prior to that after Iranian activity increased in May. Active attacks still being blocked include those targeting the teams of President Joe Biden, Vice President and current Democratic presidential nominee Kamala Harris, and Donald Trump, who is running for a second term in the Oval Office.

APT42 relies heavily on what Google’s TAG calls “Cluster C” phishing activities – distinctive methods in use since 2022 that are characterized by attempts to impersonate NGOs and “Mailer Daemon”.

These phishing attempts also make use of Bitly’s link-shortening service. Targets such as defense and political officials, as well as academics, are spearfished with links to conference registration pages, for example, or are sent cloud-hosted documents, both of which prompt the recipient to enter their user credentials.

“In May and June, the personal email accounts of approximately a dozen individuals associated with President Biden and former President Trump were targeted with APT42, including current and former U.S. government officials and individuals associated with the respective campaigns,” Google’s TAG said.

“We blocked numerous APT42 attempts to log into the targeted individuals’ personal email accounts.”

How to recognize an APT42 phishing email

In addition to the Cluster C activity already described, APT42 will often also use a bit of social engineering to get things going.

A common tactic is to set up video calls using spoofed, attacker-controlled landing pages. Targets receive an email with a join link, which asks for login credentials, which are then stolen since it is not a real website.

Google Meet is often spoofed, and TAG said other fake Google sites have been spotted in more than 50 different campaigns. You should also be extra careful with Dropbox, OneDrive and Skype links, Google said.

PDFs can also be sent. Google hasn’t said exactly what these are, but they’re likely harmless and only used to build trust before moving the conversation to a messaging platform like Signal, Telegram, or WhatsApp.

From there, attackers are expected to trick you into downloading a credential-harvesting kit. GCollection (also known as LCollection and YCollection) has been in use and continuously developed since January 2023, and is the kit Google considers the most advanced that APT42 uses.

It now supports a “seamless flow” with compelling features like MFA, device PINs, and one-time recovery codes for email platforms Google, Hotmail, and Yahoo.

DWP can also be removed, often via a URL shortener, but offers fewer features than GCollection.

“This spearfishing is supported by reconnaissance, using open-source marketing and social media research tools, to identify personal email addresses that may not have default multi-factor authentication or other protections commonly found on business accounts,” Google said.

“Once APT42 gains access to an account, they often add additional access mechanisms, including changing recovery email addresses and using features that allow applications that do not support multi-factor authentication, such as application-specific passwords in Gmail and third-party app passwords in Yahoo. Google’s Advanced Protection Program revokes and disables these application-specific passwords in Gmail, protecting users from this tactic.”

Israeli attacks increase again

Similar phishing and social engineering tactics were observed in attacks against Israeli officials in the military, defense, academic, and NGO sectors.

Google’s TAG noticed the last spike in this activity in late July, after originally peaking in April. APT42’s phishing efforts in Israel regularly peak and trough, though it never flatlines – there is always a low number of attacks going on at any given time.

However, the group does use specific bait types for Israeli targets, many of which are related to the country’s current conflict with Palestine.

Several web pages imitating a petition from the Jewish Agency for Israel were blocked by Google after it was discovered that they had been created using Google Sites. The petition called for an end to the conflict, but only redirected visitors to phishing pages.

APT42 has also been spotted posing as reporters and contacting senior officials directly for comment on stories related to missile strikes, all in an effort to build rapport with targets before attempting to compromise their accounts. ®