As a human rights organization investigating abusive authorities around the world, we know we’re a target for government hackers. Our security teams spend a lot of time and effort to keep our information, our staff, and our sources safe.
Working together with Amnesty International’s security people, we just exposed another attack on us and others, this one by Iran.
Here’s how it happened…
In October 2022, an HRW staff member working on the Middle East and North Africa region received an invitation to a conference via WhatsApp. There’s nothing unusual in that; we’re often asked to speak at such events. This one was (supposedly) from a think tank in Lebanon.
But there was something a bit suspicious about the messages, so our experts took a deeper look.
Our joint investigation with Amnesty International revealed that the links in the WhatsApp message were phishing links. Once clicked, the link would direct the target to a fake login page that captured the user’s email password and authentication code.
The research team investigated the infrastructure that hosted the malicious links and identified additional targets of this ongoing campaign – high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues.
In all, there were 20 people who received a similar message since September, including a second HRW staff member.
Our research attributes this phishing attack to an entity affiliated with the Iranian government known as APT42, which, bizarrely, is sometimes referred to as “Charming Kitten.”
Various security companies have reported on phishing campaigns by APT42 before. Organizations such as Google and the cybersecurity companies Recorded Future, Proofpoint, and Mandiant have linked APT42 to Iranian authorities.
This time, it was Iran. Next time, it may be some other government.
Constant cyber-vigilance is an essential part of our work to expose abuses.