Iranian state-backed cyber spies continue to impersonate media brands, think tanks
The Iranian state-sponsored hacker group known as APT42 is impersonating well-known news outlets and think tanks to target journalists, researchers and activists in Western countries and the Middle East, researchers say.
For example, in a campaign that started in 2021 and is still ongoing, the hackers masqueraded as The Washington Post, The Economist and The Jerusalem Post to harvest login credentials from anyone who clicked on fake website links, according to research released this week by Google-owned Mandiant. APT42’s primary goal is espionage.
“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders,” Mandiant said. In its operations, APT42 often uses typosquatting — or acquiring web domains that look real but might have a small error or alteration — to create malicious links that redirect recipients to fake Google login pages, according to the report. An example would be “washinqtonpost[.]press” — note the "q" in the name.