"Iran-Linked Cyberspies Expand Targeting to Medical Researchers, Travel Agencies"

Over the last two years, a cyberespionage group with ties to Iran's Islamic Revolutionary Guard Corps (IRGC) has been observed attacking new targets, including medical researchers, an aerospace engineer, and even a Florida-based realtor. TA453, also known as Phosphorus, Charming Kitten, and APT42, has a history of targeting Middle Eastern academics, policymakers, journalists, and dissidents. However, recent changes in their targeting and tactics suggest that the group has shifted its operations to support the IRGC's intelligence needs. According to Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, they are going after new targets with new techniques and more hostile intent, providing insight into the goals of the IRGC and the flexible mandate under which TA453 operates. Proofpoint said it began to notice differences in TA453's targeting in late 2020, when the group was observed using credential harvesting attacks on senior professionals at various medical research organizations in the US and Israel. Most of the targets had genetics, oncology, and neurology backgrounds. Proofpoint researchers discovered spear phishing attacks targeting women's and gender studies scholars at different North American universities in July and August 2021. Around the same time, the group targeted multiple Iranian travel agencies operating out of Tehran with a credential harvesting operation, most likely to collect information about Iranians' movements outside of Iran. A February 2022 attack on a Florida-based realtor involved in the sale of multiple homes near the headquarters of US Central Command was another departure from the group's usual targets. CENTCOM is the US Combatant Command in charge of military operations in the Middle East. In addition to the shift in targeting, Proofpoint researchers stated that TA453 has recently adopted new techniques. For example, the group previously created email accounts and used them to send phishing emails to potential victims, but has recently begun targeting individuals using compromised accounts. This article continues to discuss changes in TA453's targets and tactics. 

The Record reports "Iran-Linked Cyberspies Expand Targeting to Medical Researchers, Travel Agencies"