In a new research report published Wednesday, cybersecurity experts revealed that the Islamic Republic of Iran's Revolutionary Guard Corps (IRGC) has primarily relied on a group of Iranian hackers to track its domestic and foreign enemies. The research from the United States cybersecurity firm Mandiant revealed that the IRGC used hackers to target American government officials, Iranian dissidents, pro-democratic groups, and journalists.
According to research from Mandiant who has been tracking the spy group since 2015, ‘APT42’ has tried to break into the email accounts of top-U.S. government officials focused on Iran policy and the mobile phones of Iranian dissidents.
“APT42 is characterized by highly targeted spear-phishing and surveillance operations against individuals and organizations of strategic interest to Iran,” Mandiant reported.
“The group’s operations are designed to build trust and rapport with their victims. We do not anticipate significant changes to APT42’s operational tactics and mandate given the long history of activity and imperviousness to infrastructure takedowns and a media spotlight on operational security failures,” according to Mandiant Intelligence.
According to the assessment, APT42 has demonstrated its ability to quickly change its strategy and priorities based on Tehran’s changing needs both domestically and abroad. Broadly, they have targeted organizations and individuals opposing the regime by obtaining access to their personal accounts and cell phones. They have gone after Western think tanks, journalists, researchers and government officials, as well as former Iran officials and members of the Iranian opposition abroad.
According to John Hultquist, Vice President of Mandiant's Intelligence Analysis, the recent IRGC operations indicate that Americans must be cautious about Iran's efforts to surveil and "track targets in the U.S. and globally."
The cyberattacks from pro-Iranian groups highlight the extent to which the IRGC'S surveillance system relies heavily on cyber operations to conduct its terrorist operations.
The latest report comes a month after the U.S. Justice Department unsealed an indictment of an IRGC member for his role in plotting to allegedly assassinate former Trump administration national security adviser John Bolton in early August 2022. While the research from Mandiant does not connect Iranian hackers to the operation, analysts did find the Iranian hackers linked to a 2018 operation, targeting Gmail accounts of Iranian activists whom the Islamic government arrested earlier that year. Google responded to such activity in 2018 by identifying and cracking down on Iranian hackers.
While many cyberattacks against business servers have caused finical problems, Hultquist went on to state that being compromised by someone belonging to an entity with a history of political assassinations is a grave issue.
“APT42 has a propensity to target both personal and corporate email accounts of individuals and organizations of interest. They also change their targeting patterns over time as Iranian government priorities change,” said Mandiant Intelligence. The research report further explains that between March and June of 2021, the hackers used a compromised email account of someone working at an American-based think tank, targeting government officials dealing with the Middle East and Iranian foreign policy.
While the report from Mandiant is unclear as to which U.S. government agency targeted or whether or not the hacking attempts were successful, this latest development comes as the Biden administration blamed Iran for a different hacking incident in July that disrupted government services in Albania.
In response, the Albanian government stated on Wednesday that the country was severing relations with Iran over its cyberattack against Albanian government systems and anti-regime groups.
Over the years, U.S. officials have repeatedly warned the President and lawmakers in Congress that Iran's hacking capabilities continued to upgrade, given the technological support it receives from Russia, China, and North Korea.
“APT42 really puts the ‘persistent’ in ‘Advanced Persistent Threat.’ Their operations may not appear to be particularly sophisticated when you think of that term in the context of unique, complicated malware, but that does not mean they are not successful. APT42 uses clever, patient, and highly targeted social engineering techniques to trick individuals into opening malicious documents or entering their credentials or two-factor authentication codes on credential harvesting pages and we know this has worked for them in recent years and continues to do so, despite their tendency to make operational security mistakes,” according to Mandiant Intelligence.
After American forces successfully killed the IRGC's top senior general, Qasem Soleimani, Iran responded through various cyberattacks, attempting to create an asymmetric response to the death of its leader. Since then, Iran has increased its cyberattacks, like the hacking of the Boston Children's Hospital this year.
In response to Iran's continued efforts against American government officials, dissidents, and journalists, members of Congress and national security experts have told the White House to cease negotiations with Iran over its nuclear program and enact a maximum pressure campaign against the regime for its terrorist activities, including cyberterrorism. While President Biden and his team have condemned such actions, the administration is bent on reviving the nuclear agreement to score a political win for his presidency.
Elliot Nazar is a foreign affairs writer completing degrees in political science and international relations with emphasis in American-Middle East foreign policy, Iran, Israel, and terrorism at UCLA.
