Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:45 AM
Connect Directly

Iranian Cyber Groups Spying on Dissidents & Others of Interest to Government

A new investigation of two known threat groups show cyber actors are spying on mobile devices and PCs belonging to targeted users around the world.

The Iranian government is continuing to actively spy on the mobile phones and PCs of dissidents and other individuals thought to be of interest to the regime, a new Check Point Research investigation of two Iran-based cyber-threat groups has revealed.

One of the groups, called Infy, has been operating since at least 2007 and has been associated with attacks targeting Persian-language media, diplomatic targets, and Iranian dissidents in multiple countries, including the United States, Canada, and Germany.  

Related Content:

Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: What's the Difference Between 'Observability' and 'Visibility' in Security?

Infy's modus operandi has been to install surveillance malware on PCs belonging to targeted individuals and collecting a wide range of information from them, including contact information, sensitive data, voice recordings, and image captures. Infy ceased operations briefly between mid-2016 and mid-2017 after researchers from Palo Alto took down the group's command-and-control (C2) infrastructure and, with that, its ability to communicate with the victims.

Infy was spotted again in August 2017, this time distributing new data-stealing malware, dubbed Foudre, via spear-phishing emails containing a malicious, self-executable attachment. Check Point's new research, conducted in collaboration with SafeBreach Labs, shows that Infy updated Foudre again in 2020, so when the malware was installed on a system it connects to a C2 server and downloads a second-stage payload, called Tonnerre.

According to Check Point, the malware's capabilities include stealing files from predefined folders and external devices, executing malicious commands remotely, recording sound, and making screen captures. The threat actors have been using several lures to get targeted individuals to install the malware on their PCs. Examples include a document purporting to be from the governor of a specific Iranian province and a document that appears to be from a from a government organization that disburses loans to disabled veterans and the families of martyrs.

Infy's most recent — and still ongoing — campaign targets dissidents in 12 countries. Yaniv Balmas, head of cyber research at Check Point, says Infy is the longest-running advanced persistent threat, not just in Iran but the world. Evidence of its early activities date back to around 2007, well before the Stuxnet attack on Iran's uranium enrichment facility at Natanz.

The other group, APT-C-50, has been operating a very similar surveillance campaign dubbed "Domestic Kitten," also apparently for the Iranian government, since 2016. Unlike Infy, though, APT-C-50 has been targeting only mobile phone users of interest to Iran. Its main weapon is a malware tool that Check Point calls "FurBall," which is designed to collect devices identifiers, steal SMS messages and call logs, record sounds using the device microphone, and steal media files, such as video and audio.

According to Check Point, APT-C-50 has operated at least 10 separate campaigns so far — four of which are currently active. The most recent of those campaigns was launched just this past November. In each campaign, APT-C-50 has tried to trick users into downloading malware on their mobile phones using a variety of tricks, including luring them to a blog site containing the malware, via SMS messages and Telegram channels.

Check Point says the group has targeted at least 1,200 individuals across multiple countries and has successful infected more than 600 devices. The group's victims include Iranian dissidents, ISIS advocates, the Kurdish minority in Iran, and others.

Similar Missions, Different Capabilities
Balmas says that while both Infy and APT-C-50 have seemingly similar missions, their skill levels are vastly different. "Domestic Kitten is not very sophisticated, and most of its activities can be considered low tech when compared to other more advanced APT campaigns," he says.

Infy, meanwhile, is the complete opposite of that and is far more organized and much more sophisticated than APT-C-50. "Most of their technological advancements and sophistication is focused on evasion methods and techniques that can ensure their operational activity, even after being exposed," Balmas says.

Check Point's research and that of others shows that Iran's cyber activities are being carried out by two different categories of operators, he adds. One set appears to consist of hackers from certain universities, companies, or even just groups that have been somehow hired by the government to carry out cyber missions on a contract basis. Groups in this category — including likely the one behind the Domestic Kitten campaign — tend to be less sophisticated and have less technical capabilities, Balmas says.

"The other group includes direct government activities, in which operations are directly planned and executed by government agencies," he says. "We suspect the Infy group from our recent research belongs to this category." Unlike the contractors, groups in the second category appear to have access to much better resources and have overall better technologies and techniques.

For the moment, at least, a lot of Iran's cyber activities appear aimed mostly at individuals and groups of interest to the government and less so at organizations. "That is something that might change at any time, of course," he says.

Last September, for instance, the US government indicted three Iranian individuals for their alleged role in a campaign to steal data related to US aerospace and satellite technology. In the same month, the government also indicted two other Iranian hackers for breaking into computers belonging to companies in multiple countries and stealing hundreds of terabytes of data in a seemingly politically motivated campaign.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.