Mandiant has named a new threat group, APT42, that it says functions as the cyberspy arm of Iran’s Islamic Revolutionary Guard Corps (IRGC), which has plotted to murder US citizens including former National Security Advisor John Bolton.
While its financial backers turn their attention to assasination attempts and other terrorist activities, APT42 favors selective spear-phishing to target corporate and personal email accounts, according to the Google-owned threat intel business.
Since at least 2015, the group has used these campaigns to harvest credentials and install Android spyware on victims’ mobile devices, which they then use to track locations, monitor communications and otherwise surveil the activities of anyone deemed a threat to the Iranian government.
Its victims span at least 14 countries — the US, Australia, and those in Europe and the Middle East among them — and have included government officials, former Iranian policymakers, members of the Iranian diaspora and opposition groups, journalists and academics, according to Mandiant’s research [PDF], published today.
According to Mandiant Intelligence VP John Hultquist, this group is especially dangerous because of its ties to the IRGC.
“The IRGC has been associated with everything from DDoS to physical destruction, assassinations, threats to safety and lives,” he said, in an interview with The Register. “And APT42 appears to be supporting them as they physically track people, so it’s hard to imagine a more dangerous scenario.”
Mandiant says it can confirm more than 30 targeted APT42 operations involving credential harvesting, surveillance and malware deployment since