European Parliament Member Hannah Neumann Targeted in Iranian APT42-Linked Hacking Campaign

• Germany’s domestic intelligence service flagged a threat actor’s intrusion attempt that targeted a Parliament chair for Iran relations.
• Hackers impersonated legitimate contacts in messages containing malicious links disguised as encrypted conference invitations.
• Iranian hacking group APT35 was initially suspected before the incident was attributed to IRGC-linked APT42.

A prominent European Parliament member, Hannah Neumann, has confirmed she was targeted in a sophisticated cyber-espionage operation associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), which is linked to the Iranian state-backed threat actor APT42. 

Neumann, a German Greens member and chair of the Parliament delegation for relations with Iran, detailed the attack, which involved phishing emails, phone calls, and messages that ultimately aimed to compromise her office’s IT systems.  

The hacking campaign against Neumann began in January 2023. Her office became aware of the activity four weeks ago when Germany’s domestic intelligence service flagged the intrusion, according to Politico. 

Hackers impersonated legitimate contacts, including former U.S. official Matthew Levitt, to lure Neumann’s team into clicking on malicious links disguised as encrypted conference invitations.  

While the attackers succeeded in targeting Neumann’s office laptop, the Parliament’s cybersecurity defenses thwarted their efforts. According to an IT report, the “infection chain” was incomplete, and no sensitive information was exfiltrated.  

The European Parliament’s IT service, DG ITEC, identified the Iranian-linked hacking group APT42 as the key perpetrator, though another faction, APT35, was initially suspected. 

These groups, closely tied to Tehran’s Revolutionary Guard, are notorious for spear-phishing operations, data exfiltration, and disrupting sensitive communications.  

APT42 was confirmed to target high-profile accounts of both political campaigns connected to the upcoming U.S. presidential election. The U.S. State Department identified six IRGC-linked Iranian security officials reportedly responsible for the cyberattacks on U.S. water utilities in 2023.  

Government cyberwarfare group APT35, also called Charming Kitten APT, Phosphorus, Mint Sandstorm, Ajax Security, and NewsBeef, was linked to last year’s hack of Donald Trump’s campaign communications and deceptive "dream job" lures to distribute the SnailResin malware.

Neumann’s role as chair of the European Parliament delegation for EU-Iran relations, which involves engaging with rights organizations, trade unions, and activists, makes her a key target for such campaigns. She also previously served on the special inquiry committee investigating Pegasus spyware use in Europe.