Threats Feed|TA453|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date14/07/2022

Iranian APTs Exploit Media Sector for Credential Harvesting and Malware Delivery

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Trojan,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

This Proofpoint report details the escalating targeting of journalists and media organisations by state-sponsored advanced persistent threats (APTs). The report highlights how groups linked to China (TA412, TA459), North Korea (TA404), Iran (TA453, TA456, TA457), and Turkey (TA482) are using a variety of methods, including phishing emails with malicious attachments or web beacons for reconnaissance and social media credential harvesting, to achieve their intelligence and propaganda goals. The report highlights the persistent nature of the threat, the variety of tactics used, and the importance of enhanced security measures for journalists to protect their sources and the integrity of their reporting. Ultimately, it aims to raise awareness of this specific cybersecurity threat and encourage proactive protection measures within the media sector.

Reference and Credit: Proofpoint - July 2022

Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media

Detected Targets

TypeDescriptionConfidence
CaseMahsa Alimardani
Mahsa Alimardani is a doctoral student at University of Oxford’s Oxford Internet Institute, while acting as a senior Information Control Fellow for the Open Technology Fund. She also works with human rights organisation ARTICLE19 on their digital rights projects in Iran. Mahsa Alimardani has been targeted by TA453 as the main target.
Verified
SectorGovernment Agencies and Services
Verified
SectorJournalists
High
SectorEnergy
Verified
SectorMedia
Verified
SectorResearchers
High
RegionIsrael
Verified
RegionSaudi Arabia
Verified
RegionUnited States
Verified

Extracted IOCs

  • cyberclub[.]one
  • spot[.]live
  • amy.duncan.metro@outlook[.]com
  • victoria_.newton@outlook[.]com
download

Tip: 4 related IOCs (0 IP, 2 domain, 0 URL, 2 email, 0 file hash) to this threat have been found.

Overlaps

LyceumLyceum Group Unveils Stealthy .NET DNS Backdoor in Middle East Campaign

Source: Zscaler - June 2022

Detection (one case): cyberclub[.]one

LyceumLyceum's Multi-Dropper Cyber Attack Targets Israeli and Saudi Entities

Source: Check Point - March 2022

Detection (one case): cyberclub[.]one

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
TA453
View TA453's Insights