Industry News

Iranian-Backed APT34 Tries to Compromise Company Linked to U.S. Government

Security researchers say they have uncovered a phishing campaign, likely organized by the Iran-backed APT34 group, that sought to infect Westat employees with malware.

U.S. companies and institutions are the usual targets of APT34, and hackers are always looking to compromise prominent organizations, usually via phishing campaigns. In this case, Westat was the intended target because the company focuses on research for agencies of the U.S. government, as well as for businesses, foundations, and state and local governments.

The phishing campaign didn’t follow a shotgun approach, but was directly aimed at Westat employees. The phishing emails contained a ‘survey.xls’ file, that, of course, would make use of macros, if they were enabled by default. Even with the setting at OFF, users would still be asked if they want to allow macros to view the file. Once the file was opened, a new version of the TONEDEAF malware was deployed.

“Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo,” explained the company. “This file was not created by, hosted by, or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo.”

“Our cybersecurity team is working with Intezer and others to fully understand the nature of this report. We will continue to monitor the situation and respond accordingly.”

From what the security researchers found, it seems that the goal of the campaign was to deliver TONEDEAF, a backdoor that allows operators from a Command and Control center to collect data, to run commands, and even to upload files, and to deploy the VALUEVAULT malware, which is a browser credential tool.

The APT34 efforts were thwarted, for now, but they’re likely trying numerous avenues at the same time to increase their chances.

About the author

Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between. He's passionate about security and the way it shapes the world, in all aspects of life. He's also a space geek, enjoying all the exciting new things the Universe has to offer.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.