Hacking campaigns reveal Iranian attacks on dissidents

Iran-backed groups are targeting peoples’ mobile phones and PCs with sophisticated spyware

three blocks in front of falling binary code

Security researchers have found that Iran-backed hacking groups are actively spying on the Tehran government’s critics.

Check Point Researchers discovered the hackers and said there was evidence of two ongoing Iran-backed cyber-surveillance operations against suspected dissidents within Iran and 12 other countries, including the UK, US, Pakistan, Afghanistan, Turkey, Germany, Holland, Sweden, and others.

They said these operations have targeted over 1,200 people and remain active. The Iran-backed groups target peoples’ mobile phones and PCs with sophisticated spyware to collect sensitive data, including call recordings, messages, and locations.

One group, known as APT-C-50 or “Domestic Kitten,” spies on dissidents’ mobile phones, tricking people into downloading malicious software under the guise of popular apps. Victims included internal dissidents, opposition forces, ISIS advocates, people in the Kurdish minority in Iran, and more.

According to the researchers, hackers lured victims into installing a malicious application through multiple vectors, including an Iranian blog site, Telegram channels, and an SMS with a link to the malicious application. The malware planted could record calls, track locations, steal media videos and photos, and more.

The other group, known as Infy or “Prince of Persia,” spied on dissidents’ home and work PCs, extracting sensitive data after tricking targets into opening malicious email attachments. Researchers documented victims in 12 countries.

Researchers discovered fewer activities from Infy. One campaign used a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his alleged phone number. 

Researchers said the technological abilities of Infy are “far superior to most other known Iranian campaigns, attacking only a handful of targets, and taking significant effort to go undetected and uninterrupted.”

“The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past — they simply don’t stop,” said Yaniv Balmas, head of research at Check Point. “These campaign operators simply learn from the past, modify their tactics, and go on to wait for a while for the storm to pass to only go at it again.”

Researchers have alerted law enforcement agencies in the US and Europe of their findings.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021