Mandiant has release details of a suspecte counterintelligence operation linke to Iran. Counterintelligence operations are intend to prevent the leakage of classifie information from national territory and disrupt enemy intelligence activities.
The counterintelligence operation disclosed by
Mandiant aims to collect data on Iranians who may be working with foreign intelligence and security agencies, including Israel, and on threats that could undermine stability within Iran. The data collect syria phone number database through this campaign could be us by Iranian intelligence agencies to identify individuals who are working with Iran’s enemies. This data could also be use to identify human intelligence (HUMINT) operations against Iran and to suppress Iranians suspecte of being involv in such operations. This could include Iranian dissidents, activists, human rights defenders, and native Persian speakers living in and outside Iran.
Based on the tactics, techniques, and procedures (TTPs)
Themes, and targets of this campaign, Mandiant assesses that this campaign was likely conducte covertly by the Iranian regime. We also observed several similarities between this campaign and APT42, an syria phone number list Iran-linke threat actor believ to be operating on behalf of the IRGC Intelligence Organization (IRGC-IO). The activity in this campaign is consistent with previous surveillance by the IRGC and APT42 targeting domestic threat actors and individuals of interest to the Iranian government. Despite the APT42 affiliation, Mandiant was unable to confirm any link between this activity and previously reporte
US election-related targeting activity by threat analysis group
The campaign was conducte through a network of over 35 fake recruitment websites that used multiple social media accounts. The fake recruitment websites featured job postings and Israel-related lures. For example, they contained extensive Persian-spoofed content, such as images of Israeli heads of state, high-tech offices, and major city landmarks. Upon dt data visiting the websites, the targets were aske to enter personal information, as well as their professional and academic backgrounds. This sensitive information was then immiately capture by the attackers.
This counterintelligence operation began at
least in 2017 and continue until March 2024. Similar campaigns have been conduct in the past in Arabic. Targeting individuals associat with Syrian and Hezbollah intelligence and security agencies. This suggests that Iran’s counterintelligence efforts may extend. Beyond its own intelligence and security agencies to support its allies in Syria and Lebanon.
Mandiant has worke to block and disrupt this activity, terminate. The threat actor’s accounts, and take steps to protect Chrome users and other browser users.
