The Iranian state-sponsored hacker group known as APT42 is impersonating well-known news outlets and think tanks to target journalists, researchers and activists in Western countries and the Middle East, researchers say.

For example, in a campaign that started in 2021 and is still ongoing, the hackers masqueraded as The Washington Post, The Economist and The Jerusalem Post to harvest login credentials from anyone who clicked on fake website links, according to research released this week by Google-owned Mandiant. APT42’s primary goal is espionage.

“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders,” Mandiant said.

In its operations, APT42 often uses typosquatting — or acquiring web domains that look real but might have a small error or alteration — to create malicious links that redirect recipients to fake Google login pages, according to the report. An example would be “washinqtonpost[.]press” — note the "q" in the name.

In 2023, the threat actor reportedly pretended to be a senior fellow with the U.K. think tank the Royal United Services Institute (RUSI) while attempting to spread malware to a nuclear security expert at a U.S.-based think tank focused on foreign affairs.

In its new report, Mandiant analyzed the social engineering techniques APT42 used to gain access to victims' networks, including cloud environments.

In addition to impersonating news media, the group also masquerades as U.S. research organizations, including the Aspen Institute and the Washington Institute, Mandiant said. The researchers did not observe APT42 targeting or compromising these organizations — the hackers merely impersonated them.

The hackers also posed as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver malicious invitations to conferences or legitimate documents. 

Between 2022 and 2023, Mandiant also observed APT42 exfiltrating documents and sensitive information from victims’ public cloud infrastructure, such as the Microsoft 365 environment. These attacks targeted U.S. and the U.K. legal services companies and nonprofits.

Researchers say APT42 overlaps with other Iran-linked operations labeled TA453, Charming Kitten and Mint Sandstorm.