Iranian Cyber Campaign Targets High-Profile WhatsApp Users

Image provided by Pixabay

This post is also available in: עברית (Hebrew)

In a release on Friday, August 23rd, Meta disclosed a cybersecurity issue involving Iranian threat actors targeting WhatsApp users across multiple countries, including Israel. The company’s security teams, acting on user reports, identified and blocked a cluster of WhatsApp accounts impersonating technical support agents for major tech companies like AOL, Google, Yahoo, and Microsoft.

This sophisticated social engineering attack, attributed to the Iranian hacker group APT42 (also known as UNC788 and Mint Sandstorm), aimed at political and diplomatic officials, as well as other prominent figures connected to both the Biden and Trump administrations. The attack’s scope spanned individuals in Israel, the Palestinian Authority, Iran, the United States, and the United Kingdom.

APT42 is notorious for its persistent phishing campaigns that exploit basic tactics to steal credentials for online accounts. Previously, this group has been linked to similar activities targeting Saudi military personnel, dissidents, human rights activists from Israel and Iran, and journalists worldwide. In this latest campaign, APT42’s phishing attempts involved creating fake technical support accounts, which were promptly reported by users.

APT42 is assessed by Mandiant to operate on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), and according to Cybernews, this group is known for deploying surveillance software that can record phone calls, steal text messages, and activate cameras and microphones without the user’s knowledge. Researchers following the group have linked APT42’s activities to broader efforts to infiltrate US presidential campaigns. This connection was highlighted by recent reports from Microsoft and Google, which also detailed Iranian attempts to interfere in the upcoming US presidential election.

Meta’s investigation into these reports revealed no evidence of account compromise at this time. However, out of caution and considering the high-profile nature of the targets, Meta has chosen to disclose these findings publicly. The company has also informed law enforcement and presidential campaigns to enhance vigilance against potential adversarial activities.

The ability of Meta’s users to recognize and report these suspicious accounts played a crucial role in preventing further damage. The reported accounts were blocked before they could cause significant harm. In light of the upcoming U.S. elections and heightened security concerns, Meta is urging public figures, journalists, and political candidates to stay alert. They recommend utilizing available privacy and security settings, avoiding interactions with unknown contacts, and reporting any suspicious activity immediately.

This recent revelation underscores the importance of cybersecurity vigilance in an increasingly interconnected world, particularly for high-profile individuals and organizations.