How Iran-linked hackers escalated cyber attacks on Israel and US
How Iran-linked hackers escalated cyber attacks on Israel and US
Google’s report exposes APT42’s aggressive tactics and growing threat.
Hackers associated with Iran have attacked significant targets in Israel in recent months, primarily targeting former senior officials in the IDF, politicians, diplomats, and academic researchers, according to a new report by Google's Threat Analysis Group (TAG). The group also targeted senior figures in the U.S. presidential election campaigns of Biden and Trump.
According to the report, the group behind the attacks is known as APT42, which has ties to the Revolutionary Guards. “In the past six months, the U.S. and Israel accounted for roughly 60% of APT42’s known geographic targeting, including the likes of former senior Israeli military officials and individuals affiliated with both U.S. presidential campaigns,” the TAG’s report read.
Google notes that since April 2024, the group's attacks against Israel have intensified. “APT42 intensified their targeting of users based in Israel. They sought out people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs,” the report said. The group's primary method is sending phishing emails with malicious links, exploiting services from Google, Dropbox, Microsoft, and others.
“APT42 uses a variety of different tactics as part of their email phishing campaigns — including hosting malware, phishing pages, and malicious redirects. They generally try to abuse services like Google (i.e. Sites, Drive, Gmail, and others), Dropbox, OneDrive and others for these purposes,” the report read. “In the course of our work to disrupt APT42, TAG reset any compromised accounts, sent government-backed attacker warnings to the targeted users, updated detections, disrupted malicious Google Sites pages, and added malicious domains and URLs to the Safe Browsing blocklist — dismantling the group’s infrastructure.”
In another instance, the group posed as a legitimate research organization, the Washington Institute for Near East Policy, to target Israeli diplomats, journalists, and researchers at an independent research institute in the U.S.
In addition to the attacks on Israeli targets, Google researchers identified attempts by the group to attack about a dozen key figures related to the election campaigns of President Joe Biden (who has since withdrawn from the race) and Donald Trump, including past and present senior government officials.
“APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics,” the report said. “This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.”