Iranian hackers impersonate journalists in social engineering campaign | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Iranian hackers impersonate journalists in social engineering campaign \"> <meta property=\"og:description\" content=\"Members of a notorious Iranian hacking crew are using false personas to steal credentials and access victim cloud environments, per a new Mandiant report.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-05-02T03:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-05-01T22:47:59+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1713212360g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1712858261g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80324\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80324\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firanian-hackers-impersonate-journalists-in-social-engineering-campaign%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firanian-hackers-impersonate-journalists-in-social-engineering-campaign%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80324 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.624203821656\">\n<div class=\"single-article__header-content\" readability=\"30.955223880597\">\n<p> Members of a notorious Iranian hacking crew are using false personas to steal credentials and access victim cloud environments, per a new Mandiant report. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg 6720w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> An Iranian flag is carried around the Azadi (Freedom) monument tower during the annual rally commemorating Iran’s 1979 Islamic Revolution in Tehran on Feb. 11, 2024. (Photo by Majid Saeedi\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"43.472398190045\"><body readability=\"87.638232271326\"><\/p>\n<p>A hacking group linked to the intelligence wing of Iran\u2019s Revolutionary Guard Corps impersonated journalists and human rights activists as part of a social engineering campaign, according to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/untangling-iran-apt42-operations\">research<\/a> released Wednesday by Mandiant and Google Cloud.<\/p>\n<p>The news organizations impersonated in the operation include The Washington Post, The Economist and The Jerusalem Post, and Mandiant\u2019s researchers assess that the campaign was carried out by the hacking crew known as APT42. The group also spoofed prominent Washington think tanks, including the Aspen Institute, the McCain Institute and the Washington Institute. <\/p>\n<p>According to Mandiant, the Iranian hackers spoofed these organizations in order to send phishing lures to targets meant to harvest their credentials. In other cases, the attackers masqueraded behind generic login pages, file hosting services, and legitimate services like YouTube, Gmail, Google Meet and Google Drive.<\/p>\n<p>\u201cAPT42 was observed posing as journalists and event organizers to build trust with victims through ongoing correspondence and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to Cloud environments,\u201d wrote authors Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock and Jonathan Leathery.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Mandiant said there is no evidence that the spoofed organizations themselves were hacked or compromised in any way.<\/p>\n<p>Wednesday\u2019s report is the latest in a string of incidents in which Iranian hacking groups have used fake personas to trick their victims. Last year, SecureWorks<a href=\"https:\/\/cyberscoop.com\/iran-linked-hackers-used-fake-atlantic-council-persona-to-target-human-rights-researchers\/\"> detailed<\/a> an effort by APT42 to use such personas and social media accounts to conduct phishing attacks on researchers around the world focused on Iran, including by inviting them to contribute to a forthcoming report from the Atlantic Council.<\/p>\n<p>According to Mandiant, members of APT42, which is also known as Charming Kitten, TA453 and Mint Sandstorm or Mint Phosphorous, have been engaged in a widespread social engineering campaign since at least 2019.<\/p>\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign.png?w=640&ssl=1\" alt><\/figure>\n<p>The ultimate goal behind the efforts appears to be espionage, with the group using the stolen credentials to access the cloud environments of victim organizations and pilfer data of strategic interest to Tehran.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In one instance in February, a domain controlled by the group hosted a document apparently about women\u2019s rights on DropBox and impersonated an Iranian filmmaker and a Fox News contributor to enhance the legitimacy of the lure. Another domain was used to host a decoy document on \u201cThe Secrets of Gaza Tunnels\u201d in March, likely in an effort to play off interest in the ongoing Israel-Gaza conflict.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-1.png?w=640&ssl=1\" alt class=\"wp-image-80325\"><\/figure>\n<p>In many cases, the documents themselves were not laced with malware, something Mandiant said was likely an effort to establish a rapport with victim organizations and lay the groundwork for credential phishing. Once they obtained credentials, the actors bypassed multifactor authentication protections by creating cloned websites to capture MFA tokens and sending push notifications to victims.<\/p>\n<p>That facilitated access to the victims\u2019 Microsoft 365 cloud environments, where APT42 was able to steal data from OneDrive, Outlook emails and other documents related to Iranian geopolitical interests. The actor leveraged a mix of built-in features and open-source tools to obfuscate their presence in victim networks.<\/p>\n<p>\u201cThe methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders,\u201d the authors note.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While other Iranian threat groups have pivoted to disruptive and destructive attacks since the start of the Israel-Gaza conflict, Mandiant said APT42 has remained laser-focused on its traditional remit of intelligence collection from foreign targets.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.719165085389\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iranian hackers impersonate journalists in social engineering campaign | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1985,513,1986,646,256],"tags":[1987,517,1988,650,262],"class_list":["post-3368","post","type-post","status-publish","format-standard","hentry","category-apt42","category-iran","category-israel-gaza-conflict","category-mandiant","category-research","tag-apt42","tag-iran","tag-israel-gaza-conflict","tag-mandiant","tag-research"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt42\/\" rel=\"category tag\">APT42<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/iran\/\" rel=\"category tag\">Iran<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/israel-gaza-conflict\/\" rel=\"category tag\">Israel-Gaza conflict<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a>","tag_info":"Research","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3368"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3368\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3368,"date":"2024-05-01T22:00:00","date_gmt":"2024-05-02T03:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80324"},"modified":"2024-05-01T22:00:00","modified_gmt":"2024-05-02T03:00:00","slug":"iranian-hackers-impersonate-journalists-in-social-engineering-campaign","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/01\/iranian-hackers-impersonate-journalists-in-social-engineering-campaign\/","title":{"rendered":"Iranian hackers impersonate journalists in social engineering campaign\u00a0"},"content":{"rendered":"