As part of our regular updates on notable Efforts to disrupt threatswe share our latest findings on a small cluster of likely social engineering activities on WhatsApp that our security teams blocked after investigating user reports. This malicious activity originated in Iran and targeted individuals in Israel, Palestine, Iran, the United States, and the United Kingdom. These efforts appear to have focused on political and diplomatic officials and other public figures, including some associated with the administrations of President Biden and former President Trump.
Our investigation has linked the attack to APT42 (also known as UNC788 and Mint Sandstorm), an Iranian threat actor known for its persistent attack campaigns that use simple web phishing tactics to steal credentials for users’ online accounts. We have already divided Our threat research focused on APT42 targeting people in the Middle East, including the Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the United States, and Iran-focused academics, activists, and journalists around the world.
These accounts posed as technical support for AOL, Google, Yahoo, and Microsoft. Some of the individuals targeted by APT42 reported these suspicious messages to WhatsApp using our in-app reporting tools. These reported messages allowed us to investigate this recent campaign and link it to the same hacker group responsible for similar attacks on political, military, diplomatic, and other officials, as our industry colleagues at Microsoft And Google.
The vigilance of these users who reported the messages to us suggests that their efforts were unsuccessful. We have seen no evidence that their accounts were compromised. We have encouraged those who have informed us of this activity to take steps to ensure that their online accounts are secure. Out of an abundance of caution and given the heightened threat environment ahead of the U.S. election, we have also shared information about this malicious activity with law enforcement and with presidential campaigns to encourage them to remain cautious of potential hostile attacks..
We continue to monitor Information from our industry colleagues, our own research and user reports and will take action if we see further attempts by malicious actors to attack people through our apps. We strongly encourage public figures, journalists, political candidates and campaigns to Stay alertclaim Privacy and security settingsavoid responding to messages from people you don’t know, and Report suspicious activities us.
As a reminder, cyber espionage actors typically target individuals online to collect information, manipulate them into revealing information, and compromise their devices and accounts. When we disrupt these operations, we lock their accounts, block their domains from sharing on our platform, and notify individuals we believe have been targeted by these malicious groups. Learn more about our Efforts to disrupt threats.
