An Iranian hacking group, known as TA453, is expanding its cyberespionage operations to new targets, and utilizing new methods to gain access to its victims’ accounts and systems. The US Justice Department and other researchers have linked TA453 to the Islamic Revolutionary Guard Corps (IRGC) of Iran. TA453 also overlaps with other publicly known groups aligned with the Iranian government, including Charming Kitten, Phosphorus, and APT42. The group previously focused its global operations on academics, journalists, researchers, human rights activists, dissidents, and diplomats with a focus on the Middle East. However, according to recent reporting by a private cybersecurity firm, in the past two years TA453 has expanded its target list to medical researchers, US diplomats, a realtor operating near the US military’s CENTCOM headquarters in Florida, travel agencies, and an aerospace engineer. These new targets are possibly linked to more aggressive behavior from the IRGC and could continue to expand depending on IRGC requirements.
TA453 typically uses phishing emails and web beacons to gain access to the victim’s credentials and email inbox over time. The group will create an email account that appears related to the target. After exchanging a series of benign messages, the hacker will attempt to exploit the victim through a malicious link. The malicious link may be sent in the initial email or after weeks of communication. If the link is opened, the attackers will be able to access the victim’s email inbox and recover contents from their messages.
The group has started using new techniques to avoid typical security measures that screen phishing emails. Instead of creating fake accounts, the attacker will use a compromised account, adding authenticity to the phishing attempt. In 2021, the press secretary of a US government official who publicly commented on the Joint Comprehensive Plan of Action (JCPOA) nuclear deal negotiations was targeted by a phishing email sent by the compromised account of a local Iranian reporter.
According to the recent report, TA453 is also utilizing so-called “Multi-Person Impersonation (MPI)” to deliver phishing emails. The first campaign was reported in June 2022, when hackers impersonated Aaron Stein, the director of research at the Foreign Policy Research Institute (FPRI). The victim received an email from an account impersonating Stein, starting a conversation about Israel, the Gulf States, and the Abraham Accords. Another imposter account for Richard Wike, a director at PEW Research Center, was also included in the CC line. An email from the fake Wike account was sent the next day in order to solicit a response and make the initial request more authentic. While no malicious links or documents were discovered in this instance, TA453 has used similar methods to send malicious OneDrive links and documents.
The group is also known to use a more aggressive persona to encourage the target to respond to malicious emails. In 2022, a persona named “Samantha Wolf” was used to target an energy company in the Middle East. However, later in the year the Wolf persona began sending complaint-themed emails to an academic based in the US along with senior US and European government officials. When targeting the academic, “Wolf” sent an email claiming the victim had caused an accident with her car and demanded they fix the problem. The attackers then sent documents infected with malware to install backdoors into their system to enable future exploitation.
The malicious documents sent to the academic were infected with the GhostEcho (CharmPower) malware. GhostEcho is a first stage malware that is used to deliver additional capabilities and create a backdoor in the target’s system. TA453 is also suspected of attempting to infect various diplomatic missions in Tehran and women’s rights advocates with GhostEcho. The group was not previously known for using malware and, while it is unclear whether they have utilized GhostEcho in follow up attacks, it indicates that techniques are changing along with their targets.
The evolution of TA453’s targets and capabilities is likely to continue over the coming months. Their operations will continue to be driven by the IRGC and its requirements. Any escalation of tensions, particularly regarding Iran’s nuclear program, between Iran and the US, and their allies, could result in additional MPI attacks and phishing attempts on government officials, journalists, and academics associated with negotiations. TA453 will also likely continue to evolve its MPI capabilities to deliver malware into its victims’ systems, including targets coordinated with the IRGC. These attacks are more complex and difficult to detect, increasing the risk of victims opening themselves up to exploitation. TA453 will probably expand their use of malware and may use it for more disruptive follow-on attacks. Activists, academics, and other groups or individuals deemed a threat by the IRGC may become targets of these types of cyber operations.
Crisis24 provides in-depth intelligence, planning, and training, as well as swift and actionable responses to keep your organization ahead of emerging risks. Learn about our cyberspace risk management capabilities or talk to one of our experts.
Author(s)
Joe Dvorak
Intelligence Manager, Africa
Joe Dvorak is a Singapore-based Intelligence Manager in charge of monitoring global and regional source feeds for alertable events; coordinating and facilitating intelligence sharing within the...
Learn More