The Iranian government is continuing to actively spy on the mobile phones and PCs of dissidents and other individuals thought to be of interest to the regime, a new Check Point Research investigation of two Iran-based cyber-threat groups has revealed.
One of the groups, called Infy, has been operating since at least 2007 and has been associated with attacks targeting Persian-language media, diplomatic targets, and Iranian dissidents in multiple countries, including the United States, Canada, and Germany.
Infy's modus operandi has been to install surveillance malware on PCs belonging to targeted individuals and collecting a wide range of information from them, including contact information, sensitive data, voice recordings, and image captures. Infy ceased operations briefly between mid-2016 and mid-2017 after researchers from Palo Alto took down the group's command-and-control (C2) infrastructure and, with that, its ability to communicate with the victims.
Infy was spotted again in August 2017, this time distributing new data-stealing malware, dubbed Foudre, via spear-phishing emails containing a malicious, self-executable attachment. Check Point's new research, conducted in collaboration with SafeBreach Labs, shows that Infy updated Foudre again in 2020, so when the malware was installed on a system it connects to a C2 server and downloads a second-stage payload, called Tonnerre.
According to Check Point, the malware's capabilities include stealing files from predefined folders and external devices, executing malicious commands remotely, recording sound, and making screen captures. The threat actors have been using several lures to get targeted individuals to install the malware on their PCs. Examples include a document purporting to be from the governor of a specific Iranian province and a document that appears to be from a from a government organization that disburses loans to disabled veterans and the families of martyrs.
Infy's most recent — and still ongoing — campaign targets dissidents in 12 countries. Yaniv Balmas, head of cyber research at Check Point, says Infy is the longest-running advanced persistent threat, not just in Iran but the world. Evidence of its early activities date back to around 2007, well before the Stuxnet attack on Iran's uranium enrichment facility at Natanz.
The other group, APT-C-50, has been operating a very similar surveillance campaign dubbed "Domestic Kitten," also apparently for the Iranian government, since 2016. Unlike Infy, though, APT-C-50 has been targeting only mobile phone users of interest to Iran. Its main weapon is a malware tool that Check Point calls "FurBall," which is designed to collect devices identifiers, steal SMS messages and call logs, record sounds using the device microphone, and steal media files, such as video and audio.
According to Check Point, APT-C-50 has operated at least 10 separate campaigns so far — four of which are currently active. The most recent of those campaigns was launched just this past November. In each campaign, APT-C-50 has tried to trick users into downloading malware on their mobile phones using a variety of tricks, including luring them to a blog site containing the malware, via SMS messages and Telegram channels.
Check Point says the group has targeted at least 1,200 individuals across multiple countries and has successful infected more than 600 devices. The group's victims include Iranian dissidents, ISIS advocates, the Kurdish minority in Iran, and others.
Similar Missions, Different Capabilities
Balmas says that while both Infy and APT-C-50 have seemingly similar missions, their skill levels are vastly different. "Domestic Kitten is not very sophisticated, and most of its activities can be considered low tech when compared to other more advanced APT campaigns," he says.
Infy, meanwhile, is the complete opposite of that and is far more organized and much more sophisticated than APT-C-50. "Most of their technological advancements and sophistication is focused on evasion methods and techniques that can ensure their operational activity, even after being exposed," Balmas says.
Check Point's research and that of others shows that Iran's cyber activities are being carried out by two different categories of operators, he adds. One set appears to consist of hackers from certain universities, companies, or even just groups that have been somehow hired by the government to carry out cyber missions on a contract basis. Groups in this category — including likely the one behind the Domestic Kitten campaign — tend to be less sophisticated and have less technical capabilities, Balmas says.
"The other group includes direct government activities, in which operations are directly planned and executed by government agencies," he says. "We suspect the Infy group from our recent research belongs to this category." Unlike the contractors, groups in the second category appear to have access to much better resources and have overall better technologies and techniques.
For the moment, at least, a lot of Iran's cyber activities appear aimed mostly at individuals and groups of interest to the government and less so at organizations. "That is something that might change at any time, of course," he says.
Last September, for instance, the US government indicted three Iranian individuals for their alleged role in a campaign to steal data related to US aerospace and satellite technology. In the same month, the government also indicted two other Iranian hackers for breaking into computers belonging to companies in multiple countries and stealing hundreds of terabytes of data in a seemingly politically motivated campaign.