Attackers who build trust target universities

This month security firm Mandiant published a blog post and threat intelligence report about a state-sponsored Advanced Persistent Threat (APT) group known as APT42. Formerly known as UNC788, APT42 is said to be a “prolific and well-resourced threat actor” that has used credential harvesting, surveillance operations, and malware distribution to target over 30 organizations of interest to the Iranian government since 2015. The group has focused their attacks on academic institutions, non-profits, governments, healthcare, legal, manufacturing, media, and pharmaceutical organizations in at least 14 countries, including the United States.

The group stands out from other APTs because of their apparent patience in carrying out attacks. According to Mandiant:

“APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices.”

Actors in this group will email potential victims pretending to be a journalist or researcher, for instance, and they will then engage in email conversations for days or weeks before sending a malicious phishing link. Once they use that link to harvest their target’s username and password, they may email colleagues, acquaintances or relatives of the initial victim and continue to gather user credentials, spread malware, and conduct surveillance. Read Mandiant’s report to find out more about the steps taken by this group to compromise accounts, approach victims, establish trust, harvest credentials, and cover their tracks.

Things to do

What can you do to protect your personal information and university data from social engineering attacks and spear phishing?

Know that it can be difficult to spot these types of attacks. Treat email, text, social media and phone messages with skepticism, even if they appear to be from someone you know. Review the examples in this training, but know that because attackers continually adapt their tactics, they may try to lure you in with bait that’s made just for you.
Treat all email messages and texts with links and attachments as if they contain malicious content, until and unless you can verify otherwise. Double-check the sender address and over over links to inspect the URL. If you’re in doubt about the legitimacy of a message, report it to your IT support staff or to help@uw.edu
Enable two-factor authentication for all of your accounts, including email, social media and any accounts used to access personal and UW institutional data. More information about Duo, the UW’s 2-factor authentication service can be found on IT Connect.
Update your UW NetID password and make it a strong one. Never reuse your UW NetID password on other accounts, and consider using a password manager.
Review the OIS Securing Laptops Risk Advisory for tips on how to secure data on devices, including encrypting the device, keeping it updated and patched, and separating user and administrative accounts.
Use antivirus software, keep it up to date and check from time to time to make sure it’s running. Sophos antivirus software is available for all UW staff, including for use on home computers.
Be aware that information you share on the internet and social media may be used in various ways by attackers to target you.
Change your password immediately if you suspect that you’ve been targeted for spear phishing. If you’re tricked by an attacker into giving up your UW credentials, UW data, or into downloading malicious software, report it to security@uw.edu and to your IT support staff.
Report phishing by forwarding the email as an attachment to help@uw.edu. Report spear phishing scams that specifically target UW individuals or groups to security@uw.edu.