The UK, via the National Cyber Security Centre (NCSC), has issued a new warning about the ongoing threat from spear-phishing attacks carried out by cyber actors working on behalf of the Iranian government.
In an advisory published with US partners, the NCSC – a part of GCHQ – has shared technical details about how cyber attackers working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) are using social engineering techniques to gain access to victims’ personal and business accounts online.
The malicious activity is targeted against individuals with a nexus to Iranian and Middle Eastern affairs, such as current and former senior government officials, senior think tank personnel, journalists, activists and lobbyists.
The US has also observed targeting of persons associated with US political campaigns.
The NCSC advisory says the actors have often been observed impersonating contacts over email and messaging platforms, building a rapport with targets before soliciting them to share user credentials via a false email account login page. The actors can then gain access to victims’ accounts, exfiltrate and delete messages and set up email forwarding rules.
The NCSC believes this activity poses an ongoing threat to various sectors worldwide, including in the UK. To reduce the chances of compromise, individuals at risk are strongly advised to follow the mitigation steps in the advisory and to take up the NCSC’s dedicated support for high-risk individuals, including by signing up for free cyber defence services.
“The spear-phishing attacks undertaken by actors working on behalf of the Iranian government pose a persistent threat to individuals with a connection to Iranian and Middle Eastern affairs,” Paul Chichester, NCSC Director of Operations, said. “With our allies, we will continue to call out this malicious activity, which puts individuals’ personal and business accounts at risk, so they can take action to reduce their chances of falling victim.
“I strongly encourage those at higher risk to stay vigilant to suspicious contact and to take advantage of the NCSC’s free cyber defence tools to help protect themselves from compromise.”
The advisory says the attackers often obtain victims’ credentials by soliciting them to access a document via a hyperlink which redirects them to the false login page.
The actors are known to tailor their social engineering techniques to include areas of interest or relevance to their targets, with approaches including impersonation of family members, well-known journalists, discussion of foreign policy topics and invitations to conferences. In some cases, the actors might impersonate email service providers to obtain sensitive user security information.
The NCSC’s guidance for high-risk individuals helps people improve the security of their online accounts and personal devices, which continue to be attractive targets for attackers.
And individuals who face a higher risk of targeting due to their work or public status are eligible to sign up for two opt-in cyber defence services managed by the NCSC.
The Account Registration service alerts individuals if the NCSC becomes aware of a cyber incident impacting a personal account, while the Personal Internet Protection service helps prevent spear-phishing by blocking access to known malicious domains.
The spear-phishing activity detailed in the advisory is not targeted at the general public. For individuals worried about more generic phishing campaigns, the NCSC has published guidance to help spot the common signs of scams.
The advisory has been co-sealed by the NCSC, the US Federal Bureau of Investigation (FBI), the US Cyber National Mission Force (CNMF) and the US Department of the Treasury. It can be read on the FBI website here.
To read more NCSC news, click here.
