Iranian Hacking Scheme Uncovered

By Christopher Bing

(Reuters) – An Iranian hacking group disguised as a professional recruiting business to trap national security officials from Iran, Syria, and Lebanon, according to new research by U.S. cybersecurity firm Mandiant, part of Alphabet (NASDAQ:GOOGL)’s Google Cloud.

Researchers indicated that the hackers are loosely affiliated with a group known as APT42, or Charming Kitten, which has been linked to the Iranian Revolutionary Guard. This group has been accused of hacking into Donald Trump’s presidential campaign, and the FBI is currently investigating APT42 for potential interference in the 2024 U.S. elections.

The operation, uncovered by Mandiant, has been active since at least 2017, disguising itself occasionally to appear controlled by Israelis. Analysts believe the aim was to identify individuals in the Middle East willing to sell secrets to Israel and Western powers, primarily targeting military and intelligence personnel linked to Iranian allies.

Mandiant’s report states, “The data collected may enhance the Iranian intelligence apparatus in uncovering individuals interested in collaborating with Iran’s adversaries and could be used to identify HUMINT operations against Iran, as well as to persecute suspected collaborators.”

Iran’s U.N. mission did not respond to requests for comments.

Mandiant discovered that the hackers operated a network of fake human resources websites to manipulate Farsi speakers, including VIP Human Solutions and Kandovan HR, among others. They used numerous fake online profiles across platforms like Telegram, Twitter, YouTube, and the Iranian social media site Virasty to promote their front companies. Most associated internet accounts have since been taken down.

One website claimed, “VIP Recruitment is a center for recruiting respected military personnel into the army, security services, and intelligence from Syria and Hezbollah, Lebanon. Join us to help each other impact the world. Our duty is to protect your privacy.”

Using various social media strategies, the hackers cast a wide net with their recruitment scheme. It’s uncertain how many targets were deceived, but Mandiant noted that the collected data, including addresses and contact information, could still be exploited in the future.