On Wednesday, Google’s Threat Analysis Group (TAG) shared their findings concerning APT42, an Iranian Revolutionary Guard Corps-backed threat agent, and their targeted phishing campaigns against Israel and Israeli targets. Google also confirmed recent reports around APT42’s targeting of accounts associated with the U.S. presidential election.
According to the Threat Analysis Group, APT42, associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) consistently targets high-profile users in Israel and the U.S., including current and former government officials, political campaigns, diplomats, individuals who work at think tanks, as well as NGOs and academic institutions that contribute to foreign policy conversations.
In the past six months, the U.S. and Israel accounted for roughly 60% of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns. These activities demonstrate the group’s aggressive, multi-pronged effort to quickly alter its operational focus in support of Iran’s political and military priorities.
3 View gallery
APT42 attempted to hack both presidential campaigns
(Photo: Brian Snyder / Reuters, Radek Pietruszka / EPA)
The Google report continues to elaborate on the cyber group's exploits. "APT42 attempted to use social engineering to target former senior Israeli military officials and an aerospace executive by sending emails masquerading as a journalist requesting comment on the recent air strikes. They also sent social engineering emails to Israeli diplomats, academics, NGOs and political entities." Google suspended identified Gmail accounts associated with APT42.
A June 2024 campaign targeting Israeli NGOs used a benign PDF email attachment impersonating the legitimate Project Aladdin, which contained a shortened URL link that redirected to a phishing kit landing page designed to harvest Google login credentials. One of the emails was supposedly from the Jewish Agency calling on the Israeli government to respond to the Qatari proposal for a cease-fire.
Google Threat Intelligence Group, inclusive of TAG and Mandiant, helps identify, monitor, and tackle threats, ranging from coordinated influence operations to cyber espionage campaigns against high-risk entities. TAG tracks and works to disrupt more than 270 government-backed attacker groups from more than 50 countries, and we regularly publish our findings to keep the public informed of these threats.
As we outlined above, APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics. This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.
We also remain vigilant for targeting around the U.S. election and encourage all high-risk individuals including elected officials, candidates, campaign workers, journalists, election workers, government officials, and others to sign up for Google’s Advanced Protection Program. APP is a free, opt-in program designed to protect targeted users against such tactics, preventing unauthorized users from signing into an account even if they know the password.
A new Google report published on Wednesday said that a cyber unit linked to Iran under the name "APT42" attacked former senior officials in the IDF and a senior manager "in the field of aviation and space". The method used by the hackers is simple and familiar, they sent emails on behalf of journalists asking for a response to the recent airstrikes in Gaza. In addition, the unit's hackers posed as real researchers at the well-known American research institute Brookings and the Washington Institute for Middle East Policy to try to break into Israeli diplomats, academics, non-governmental organizations and political bodies.