Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:45 AM
Connect Directly

Iranian Cyber Groups Spying on Dissidents & Others of Interest to Government

A new investigation of two known threat groups show cyber actors are spying on mobile devices and PCs belonging to targeted users around the world.

The Iranian government is continuing to actively spy on the mobile phones and PCs of dissidents and other individuals thought to be of interest to the regime, a new Check Point Research investigation of two Iran-based cyber-threat groups has revealed.

One of the groups, called Infy, has been operating since at least 2007 and has been associated with attacks targeting Persian-language media, diplomatic targets, and Iranian dissidents in multiple countries, including the United States, Canada, and Germany.  

Related Content:

Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: What's the Difference Between 'Observability' and 'Visibility' in Security?

Infy's modus operandi has been to install surveillance malware on PCs belonging to targeted individuals and collecting a wide range of information from them, including contact information, sensitive data, voice recordings, and image captures. Infy ceased operations briefly between mid-2016 and mid-2017 after researchers from Palo Alto took down the group's command-and-control (C2) infrastructure and, with that, its ability to communicate with the victims.

Infy was spotted again in August 2017, this time distributing new data-stealing malware, dubbed Foudre, via spear-phishing emails containing a malicious, self-executable attachment. Check Point's new research, conducted in collaboration with SafeBreach Labs, shows that Infy updated Foudre again in 2020, so when the malware was installed on a system it connects to a C2 server and downloads a second-stage payload, called Tonnerre.

According to Check Point, the malware's capabilities include stealing files from predefined folders and external devices, executing malicious commands remotely, recording sound, and making screen captures. The threat actors have been using several lures to get targeted individuals to install the malware on their PCs. Examples include a document purporting to be from the governor of a specific Iranian province and a document that appears to be from a from a government organization that disburses loans to disabled veterans and the families of martyrs.

Infy's most recent — and still ongoing — campaign targets dissidents in 12 countries. Yaniv Balmas, head of cyber research at Check Point, says Infy is the longest-running advanced persistent threat, not just in Iran but the world. Evidence of its early activities date back to around 2007, well before the Stuxnet attack on Iran's uranium enrichment facility at Natanz.

The other group, APT-C-50, has been operating a very similar surveillance campaign dubbed "Domestic Kitten," also apparently for the Iranian government, since 2016. Unlike Infy, though, APT-C-50 has been targeting only mobile phone users of interest to Iran. Its main weapon is a malware tool that Check Point calls "FurBall," which is designed to collect devices identifiers, steal SMS messages and call logs, record sounds using the device microphone, and steal media files, such as video and audio.

According to Check Point, APT-C-50 has operated at least 10 separate campaigns so far — four of which are currently active. The most recent of those campaigns was launched just this past November. In each campaign, APT-C-50 has tried to trick users into downloading malware on their mobile phones using a variety of tricks, including luring them to a blog site containing the malware, via SMS messages and Telegram channels.

Check Point says the group has targeted at least 1,200 individuals across multiple countries and has successful infected more than 600 devices. The group's victims include Iranian dissidents, ISIS advocates, the Kurdish minority in Iran, and others.

Similar Missions, Different Capabilities
Balmas says that while both Infy and APT-C-50 have seemingly similar missions, their skill levels are vastly different. "Domestic Kitten is not very sophisticated, and most of its activities can be considered low tech when compared to other more advanced APT campaigns," he says.

Infy, meanwhile, is the complete opposite of that and is far more organized and much more sophisticated than APT-C-50. "Most of their technological advancements and sophistication is focused on evasion methods and techniques that can ensure their operational activity, even after being exposed," Balmas says.

Check Point's research and that of others shows that Iran's cyber activities are being carried out by two different categories of operators, he adds. One set appears to consist of hackers from certain universities, companies, or even just groups that have been somehow hired by the government to carry out cyber missions on a contract basis. Groups in this category — including likely the one behind the Domestic Kitten campaign — tend to be less sophisticated and have less technical capabilities, Balmas says.

"The other group includes direct government activities, in which operations are directly planned and executed by government agencies," he says. "We suspect the Infy group from our recent research belongs to this category." Unlike the contractors, groups in the second category appear to have access to much better resources and have overall better technologies and techniques.

For the moment, at least, a lot of Iran's cyber activities appear aimed mostly at individuals and groups of interest to the government and less so at organizations. "That is something that might change at any time, of course," he says.

Last September, for instance, the US government indicted three Iranian individuals for their alleged role in a campaign to steal data related to US aerospace and satellite technology. In the same month, the government also indicted two other Iranian hackers for breaking into computers belonging to companies in multiple countries and stealing hundreds of terabytes of data in a seemingly politically motivated campaign.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.