UK on high alert over Iranian spear-phishing attacks, says NCSC

The UK’s National Cyber Security Centre (NCSC) and American agencies including the FBI and the Department of the Treasury have issued a joint alert concerning the threat posed by increasing volumes of targeted spear-phishing attacks being carried out by threat actors backed by the Iranian government.

In recent weeks, advanced persistent threat (APT) groups working for Iran’s Islamic Revolutionary Guard Corps (IRGC) have been observed targeting individuals of interest to the hardline state, in particular individuals working in areas pertaining to Middle Eastern affairs.

Those targeted in the UK are known to have included current and former government officials, think tank personnel, journalist, activists, and lobbyists. In the US, political campaign staffers have also been on the receiving end of such attacks.

The Iranian attackers are using relatively run-of-the-mill social engineering techniques in order to gain their victims’ trust, including impersonating trusted contacts – ranging from colleagues and peers to known journalists and even family members – over email and messaging platforms and using these sockpuppets to build a rapport using lures such as discussions of relevant topics, such as the war in Gaza, or invitations to conferences.

The ultimate goal of the campaign is to solicit the intended target to share to share their email user credentials using forged email account logon pages. Once access has been gained in this way, the threat actors have full access to their victims’ email accounts and can exfiltrate and delete messages at will, or set up rules to forward incoming email to inboxes that they control.

“The spear-phishing attacks undertaken by actors working on behalf of the Iranian government pose a persistent threat to individuals with a connection to Iranian and Middle Eastern affairs,” said NCSC operations director Paul Chichester.

“With our allies, we will continue to call out this malicious activity, which puts individuals’ personal and business accounts at risk, so they can take action to reduce their chances of falling victim.

“I strongly encourage those at higher risk to stay vigilant to suspicious contact and to take advantage of the NCSC’s free cyber defence tools to help protect themselves from compromise.”

The NCSC said the activity posed an ongoing threat across multiple sectors, and is advising people who may be at risk to follow the mitigation steps in the full advisory, which in essence amount to the same steps any reasonable person should be taking in general, such as being suspicious of unsolicited contacts, inbound links and files, strange requests or alerts via online services, shortened URLs, and strange spelling or grammar use.

Additionally, the NCSC offers guidance for high-risk individuals on protecting themselves online, while those at extreme risk of targeting may be eligible for the NCSC’s Account Registration service, which monitors incidents impacting personal accounts, and the Personal Internet Protection service, which blocks access to known malicious domains.

The NCSC stressed that ordinary members of the public most likely do not need to be overly concerned by the activity, although its advice is always worth taking in general.

Indictment over Trump hack-and-leak campaign

At the same time, the US Department of Justice (DoJ) has today (Friday 27 September) unsealed an indictment against three known IRGC employees, named as Masoud Jalili, Seyyed Ali Aghamiri, and Yaser Balaghi, charging them with alleged involvement in a conspiracy to hack into the accounts of current and former US officials, journalists, NGOs, and political campaign staff.

Their suspected activity dates back as far as 2020, but the indictment most significantly accuses the three men of conducting a hack-and-leak operation in which they sought to weaponise material stolen from ‘Presidential Campaign 1’ – widely known to be the Republican campaign although not identified as such by the DoJ – and attempting to leak it to others associated with ‘Presidential Campaign 2’ – at the time of the initial operation in May this would have been the Democratic campaign prior to the withdrawal of president Joe Biden over the summer.

“The Justice Department is working relentlessly to uncover and counter Iran’s cyberattacks aimed at stoking discord, undermining confidence in our democratic institutions, and influencing our elections,” said US attorney general Merrick Garland. “The American people – not Iran, or any other foreign power – will decide the outcome of our country’s elections.”

FBI director Christopher Wray added: “Today’s charges represent the culmination of a thorough and long-running FBI investigation that has resulted in the indictment of three Iranian nationals for their roles in a wide-ranging hacking campaign sponsored by the government of Iran.

“The conduct laid out in the indictment is just the latest example of Iran’s brazen behaviour. So today the FBI would like to send a message to the government of Iran – you and your hackers can’t hide behind your keyboards.”