As part of regular updates on threat disruption efforts, recent insights have been shared into a cluster of likely social engineering activity on WhatsApp that security teams blocked after investigating user reports. This malicious activity originated in Iran and targeted individuals in Israel, Palestine, Iran, the United States, and the UK. The effort appeared to focus on political and diplomatic officials and other public figures, including some associated with the administrations of President Biden and former President Trump.

The investigation linked this activity to APT42 (also known as UNC788 and Mint Sandstorm), an Iranian threat actor known for persistent adversarial campaigns using basic phishing tactics across the internet to steal credentials to online accounts. Previous threat research related to APT42 has shown targeting of people in the Middle East, including Saudi military personnel, dissidents and human rights activists from Israel and Iran, US politicians, and Iran-focused academics, activists, and journalists globally.

These accounts posed as technical support for AOL, Google, Yahoo, and Microsoft. Some targets reported these suspicious messages to WhatsApp using in-app reporting tools. These reports enabled an investigation into this latest campaign and linked it to the same hacking group responsible for similar attempts aimed at political, military, diplomatic officials as reported by industry peers at Microsoft and Google.

"The vigilance of these users to report the messages to us suggests that these efforts were unsuccessful," said a spokesperson. "We have not seen evidence that their accounts were compromised." Those who reported were encouraged to take steps to ensure their online accounts are safe across the internet. Given the heightened threat environment ahead of the US election, information about this malicious activity was also shared with law enforcement and presidential campaigns.

Monitoring continues based on information from industry peers, internal investigations, and user reports. Actions will be taken if further attempts by malicious actors are detected. Public figures, journalists, political candidates, and campaigns are strongly encouraged to remain vigilant by taking advantage of privacy settings, avoiding engagement with unknown messages, and reporting suspicious activity.

Cyber espionage actors typically target individuals across the internet to collect intelligence or manipulate them into revealing information or compromising their devices. Disrupting these operations involves taking down their accounts, blocking their domains from being shared on platforms like WhatsApp, and notifying those believed to be targeted by such groups.

Learn more about ongoing threat disruption efforts.

###