Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information.
Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus.
It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that’s ultimately designed to gather intelligence on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC).
The sock puppet accounts include people from Pew Research Centre, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022.
However, what differentiates this from other phishing attacks is the use of a tactic Proofpoint calls Multi-Persona Impersonation (MPI), wherein the threat actor employs not one but several actor-controlled personas in the same email conversation to bolster the chances of success.
images from Hacker News