Iran government-backed hackers have targeted at least 18 high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign via WhatsApp, Human Rights Watch (HRW) has revealed.
The state-backed hackers also targeted two HRW staff members, revealed an investigation.
The HRW attributed the phishing attack to an entity affiliated with the Iranian government known as APT42 and sometimes referred to as “Charming Kitten”.
The email and other sensitive data of at least three of them had been compromised: a correspondent for a major US newspaper, a women’s rights defender based in the Gulf region, and Nicholas Noe, an advocacy consultant for Refugees International based in Lebanon, the HRW report mentioned.
“Iran’s state-backed hackers are aggressively using sophisticated social engineering and credential harvesting tactics to access sensitive information and contacts held by Middle East-focused researchers and civil society groups,” said Abir Ghattas, information security director at HRW.
“This significantly increases the risks that journalists and human rights defenders face in Iran and elsewhere in the region,” Ghattas added.
For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.
Organisations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT 42 to Iranian authorities.
In October, an HRW staff member working on the Middle East and North Africa region received suspicious messages on WhatsApp from a person pretending to work for a think tank based in Lebanon, inviting them to a conference.
The joint investigation revealed that the phishing links sent via WhatsApp, once clicked, directed the target to a fake login page that captured the user’s email password and authentication code.
The research team investigated the infrastructure that hosted the malicious links and identified additional targets of this ongoing campaign.
HRW and Amnesty International contacted the 18 high-profile individuals identified as targets of this campaign. Fifteen of them responded and confirmed that they had received the same WhatsApp messages at some point between September 15 and November 25, 2022.
Google should also promptly strengthen its Gmail account security warnings to better protect journalists, human rights defenders, and its most at-risk users from attacks, said HRW.
“In a Middle East region rife with surveillance threats for activists, it’s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region’s embattled activists, journalists, and civil society leaders,” Ghattas said.