APT42's Cyber Tactics From Credential Theft to Election Interference

APT42, an Iranian government-backed cyberespionage group also known as Charming Kitten, ITG18, TA453, and Yellow Garuda, has been implicated in numerous phishing campaigns and credential harvesting activities, in addition to efforts to interfere in the 2024 United States election. According to the Google Threat Analysis Group (TAG), this group has consistently targeted individuals and entities strategically important to Iran's geopolitical interests, such as high-profile figures in Israel, the United States, and other countries involved in international diplomacy and policy-making. APT42 has honed its tactics to focus heavily on credential phishing, using various methods, including hosting malware, creating phishing pages, and leveraging malicious redirects. These efforts often exploit reputable services like Google, Dropbox, and OneDrive to carry out their attacks. The campaign intensified notably in April 2024, with a peak in activities observed in May 2024. The primary targets have included aerospace, defense, education, government, media, NGOs, and think tanks, indicating the group's broad interest in gathering sensitive information.

The group’s modus operandi involves social engineering techniques to gain the trust of their targets before launching phishing attacks. They have been known to impersonate legitimate organizations and individuals to lend credibility to their efforts. For instance, they have masqueraded as journalists, researchers, and public policy institutions to engage their targets through seemingly benign initial communications. Once trust is established, they employ various phishing kits designed to capture credentials and gain unauthorized access to sensitive systems and data.

APT42's activities have also extended to attempts to interfere in the 2024 United States election. Google TAG reports ongoing, though unsuccessful, attempts to compromise the personal accounts of individuals associated with major U.S. political figures such as President Biden, Vice President Harris, and former President Trump. These efforts include direct attacks on email accounts through phishing and other credential theft techniques, aiming to gain access to personal and campaign-related information. Google has reported having taken active steps to dismantle the group’s infrastructure, reset compromised accounts, and block further malicious activities, thereby protecting numerous targets from potential compromise.