Phishing: Attacks against journalists and human rights activists

GMail app icon
In some cases, the attackers could access emails and cloud storage. (Source: IMAGO / imagebroker)

At least 20 human rights activists, researchers, diplomats and politicians have been the focal point of a targeted phishing campaign, reports Human Rights Watch (HRW). They attribute the attacks to a group with ties to the regime. In three cases, personal data was stolen.

As Human Rights Watch reports, two contributors of their organisation were also targets in the phishing campaign. According to them, one person, who is responsible at HRW for coverage in the Middle East and North Africa, received a suspicious message on WhatsApp in October. The attackers pretended to work for a think tank in Lebanon and invited the person in question to a conference. The message looked like previous invitations from the think tank.

Additionally, another staff member of the human rights organisation received the same message at the end of November.

In response, the IT security team of Human Rights Watch examined the messages together with the Security Lab of Amnesty International and could track down other affected parties. According to HRW, this included renowned activists, media representatives, academics, diplomats as well as politicians. According to HRW, they all are involved with topics in the Middle East.

The messages included links leading to fake login pages for Microsoft, Google and Yahoo services.

Access to emails

In at least three cases, the attacks were successful and sensitive data was compromised, reports HRW. Those affected included correspondents of a “major US newspaper”: one resident women’s rights activist in the Gulf region as well as Nicholas Neo, a consultant for the relief organisation Refugees International in Lebanon.

The attackers would have had access to the emails of the affected, as well as cloud storage, calendars and address books. Moreover, in at least one case, Google Takeout was utilised. Google allows their users to download data from their account using Google Takeout – including internet searches, data from Google Maps and YouTube activity.

The affected parties did not notice that their Google accounts had been compromised until they were informed by HRW and Amnesty International.

Iranian group said to be behind the attacks

IT security specialists attribute the phishing attacks to a group called “APT42”. Google, as well as other IT security companies, have made connections with the group multiple times in the past to the Iranian regime. Security researchers at Mandiant, for example, first reported in September that “APT42” was working on behalf of the Islamic Revolutionary Guard Corps.

According to security researchers, the group frequently attacked email accounts through targeted and personalised phishing campaigns of which the focus was to gain the trust of the targeted person. The group reportedly also used surveillance software for espionage.

In September, the USA imposed sanctions against individuals involved with the group.

According to Human Rights Watch, Iranian actors have repeatedly targeted members of other governments, but also political dissidents, human rights activists or military personnel since as early as 2010.

Abir Ghattas, Information Security Director for HRW explains that state-backed groups from Iran use sophisticated tactics to “access sensitive information and contacts held by Middle East-focused researchers and civil society groups”. This greatly increases the risk for journalists and human rights activists in the region.

Human rights activists and journalists are also repeatedly targets of espionage in other countries. In 2020, Amnesty International reported on such a case like phishing campaigns against Uzbek human rights activists. A staff member of HRW was spied on with the surveillance software Pegasus in the past year. Dozens of such worldwide cases have come to light.

Protests im Iran

Demonstrations against the regime have been taking place since months in Iran. The catalyst for this was the death of Mahsa Amini, a 22 year old who was arrested in September by the so-called morality police.

In many places, security forces are violent towards protestors. Meanwhile, according to human rights organisations, more than 470 people have been killed at the protests and at least 18,000 protestors were arrested. At least one person was sentenced to death (German article) in connection with the protests.

According to media reports, shopkeepers in many Iranian cities have joined a three-day general strike since Monday. This is intended to put economic pressure on the regime. (js)