The UK’s National Cybersecurity Centre (NCSC) and US agencies have issued a joint alert about spear-phishing attacks carried out by cyber actors working on behalf of the Iranian government.

In a joint advisory co-signed with the FBI, US Cyber National Mission Force (CNMF) and the US Department of the Treasury, they have warned about cyber attackers working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) using social engineering techniques to gain access to victims’ personal and business accounts online.

Targeting Senior Individuals

In particular, individuals with a nexus to Iranian and Middle Eastern affairs, such as current and former senior government officials, senior think tank personnel, journalists, activists and lobbyists are being targeted.

The US has also observed targeting of persons associated with US political campaigns. 

Typically, the attackers use social engineering techniques, often impersonating professional contacts on email or messaging platforms, or impersonating known email service providers to solicit sensitive user security information on email or messaging platforms. 

An advisory from the departments said the actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials. Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors.

Once access is gained to accounts, messages are exfiltrated and deleted, and email forwarding rules are set up.

Paul Chichester, director of operations at the NCSC, said: “The spear-phishing attacks undertaken by actors working on behalf of the Iranian government pose a persistent threat to individuals with a connection to Iranian and Middle Eastern affairs.

“I strongly encourage those at higher risk to stay vigilant to suspicious contact and to take advantage of the NCSC’s free cyber defence tools to help protect themselves from compromise.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.