The UK’s National Cyber Security Centre (NCSC), in collaboration with US intelligence agencies, has issued a warning about ongoing cyber threats from actors working on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The threat actors are leveraging social engineering techniques, such as spear-phishing, to gain access to the online accounts of individuals involved in Middle Eastern affairs, international politics, and human rights advocacy.
Targeting government officials, political activists, journalists, and think tank experts, the attackers have been impersonating trusted contacts via email or messaging platforms. By building rapport, they trick victims into clicking on malicious links that lead to fraudulent login pages designed to steal their account credentials.
Notably, these attackers may even attempt to bypass multi-factor authentication (MFA) by prompting victims to provide authentication codes through messaging platforms or phone notifications. In some cases, victims believe they are logging into their accounts while unknowingly giving attackers access.
Key indicators of compromise include:
-
Unauthorized logins from foreign IP addresses.
-
The creation of email forwarding rules to prevent victims from receiving notifications of suspicious activity.
-
The addition of unknown devices or accounts to the victim’s account.
-
Exfiltration and deletion of emails.
-
Attempts to gain access to additional victim accounts.
To prevent social engineering and spoofing attacks, the authoring agencies recommend several measures. Individuals should be wary of unsolicited contacts, especially if they claim to use new accounts or phone numbers, or request sharing files through unfamiliar channels. Suspicious emails containing odd details (like pixelated images, unusual language, or unfamiliar IP addresses) should be scrutinized. For enterprise protection, training on phishing awareness is advised, alongside security features like multi-factor authentication, anti-phishing mechanisms, and email monitoring for configuration changes. Email security frameworks and protocols, such as SPF, DKIM, and DMARC, should be implemented to prevent spoofing.
