Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:45 AM
Connect Directly

Iranian Cyber Groups Spying on Dissidents & Others of Interest to Government

A new investigation of two known threat groups show cyber actors are spying on mobile devices and PCs belonging to targeted users around the world.

The Iranian government is continuing to actively spy on the mobile phones and PCs of dissidents and other individuals thought to be of interest to the regime, a new Check Point Research investigation of two Iran-based cyber-threat groups has revealed.

One of the groups, called Infy, has been operating since at least 2007 and has been associated with attacks targeting Persian-language media, diplomatic targets, and Iranian dissidents in multiple countries, including the United States, Canada, and Germany.  

Related Content:

Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: What's the Difference Between 'Observability' and 'Visibility' in Security?

Infy's modus operandi has been to install surveillance malware on PCs belonging to targeted individuals and collecting a wide range of information from them, including contact information, sensitive data, voice recordings, and image captures. Infy ceased operations briefly between mid-2016 and mid-2017 after researchers from Palo Alto took down the group's command-and-control (C2) infrastructure and, with that, its ability to communicate with the victims.

Infy was spotted again in August 2017, this time distributing new data-stealing malware, dubbed Foudre, via spear-phishing emails containing a malicious, self-executable attachment. Check Point's new research, conducted in collaboration with SafeBreach Labs, shows that Infy updated Foudre again in 2020, so when the malware was installed on a system it connects to a C2 server and downloads a second-stage payload, called Tonnerre.

According to Check Point, the malware's capabilities include stealing files from predefined folders and external devices, executing malicious commands remotely, recording sound, and making screen captures. The threat actors have been using several lures to get targeted individuals to install the malware on their PCs. Examples include a document purporting to be from the governor of a specific Iranian province and a document that appears to be from a from a government organization that disburses loans to disabled veterans and the families of martyrs.

Infy's most recent — and still ongoing — campaign targets dissidents in 12 countries. Yaniv Balmas, head of cyber research at Check Point, says Infy is the longest-running advanced persistent threat, not just in Iran but the world. Evidence of its early activities date back to around 2007, well before the Stuxnet attack on Iran's uranium enrichment facility at Natanz.

The other group, APT-C-50, has been operating a very similar surveillance campaign dubbed "Domestic Kitten," also apparently for the Iranian government, since 2016. Unlike Infy, though, APT-C-50 has been targeting only mobile phone users of interest to Iran. Its main weapon is a malware tool that Check Point calls "FurBall," which is designed to collect devices identifiers, steal SMS messages and call logs, record sounds using the device microphone, and steal media files, such as video and audio.

According to Check Point, APT-C-50 has operated at least 10 separate campaigns so far — four of which are currently active. The most recent of those campaigns was launched just this past November. In each campaign, APT-C-50 has tried to trick users into downloading malware on their mobile phones using a variety of tricks, including luring them to a blog site containing the malware, via SMS messages and Telegram channels.

Check Point says the group has targeted at least 1,200 individuals across multiple countries and has successful infected more than 600 devices. The group's victims include Iranian dissidents, ISIS advocates, the Kurdish minority in Iran, and others.

Similar Missions, Different Capabilities
Balmas says that while both Infy and APT-C-50 have seemingly similar missions, their skill levels are vastly different. "Domestic Kitten is not very sophisticated, and most of its activities can be considered low tech when compared to other more advanced APT campaigns," he says.

Infy, meanwhile, is the complete opposite of that and is far more organized and much more sophisticated than APT-C-50. "Most of their technological advancements and sophistication is focused on evasion methods and techniques that can ensure their operational activity, even after being exposed," Balmas says.

Check Point's research and that of others shows that Iran's cyber activities are being carried out by two different categories of operators, he adds. One set appears to consist of hackers from certain universities, companies, or even just groups that have been somehow hired by the government to carry out cyber missions on a contract basis. Groups in this category — including likely the one behind the Domestic Kitten campaign — tend to be less sophisticated and have less technical capabilities, Balmas says.

"The other group includes direct government activities, in which operations are directly planned and executed by government agencies," he says. "We suspect the Infy group from our recent research belongs to this category." Unlike the contractors, groups in the second category appear to have access to much better resources and have overall better technologies and techniques.

For the moment, at least, a lot of Iran's cyber activities appear aimed mostly at individuals and groups of interest to the government and less so at organizations. "That is something that might change at any time, of course," he says.

Last September, for instance, the US government indicted three Iranian individuals for their alleged role in a campaign to steal data related to US aerospace and satellite technology. In the same month, the government also indicted two other Iranian hackers for breaking into computers belonging to companies in multiple countries and stealing hundreds of terabytes of data in a seemingly politically motivated campaign.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in
PUBLISHED: 2021-02-26
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.