News

Hacking campaigns reveal Iranian attacks on dissidents

Iran-backed groups are targeting peoples’ mobile phones and PCs with sophisticated spyware

8 Feb 2021

three blocks in front of falling binary code

Security researchers have found that Iran-backed hacking groups are actively spying on the Tehran government’s critics.

Check Point Researchers discovered the hackers and said there was evidence of two ongoing Iran-backed cyber-surveillance operations against suspected dissidents within Iran and 12 other countries, including the UK, US, Pakistan, Afghanistan, Turkey, Germany, Holland, Sweden, and others.

They said these operations have targeted over 1,200 people and remain active. The Iran-backed groups target peoples’ mobile phones and PCs with sophisticated spyware to collect sensitive data, including call recordings, messages, and locations.

One group, known as APT-C-50 or “Domestic Kitten,” spies on dissidents’ mobile phones, tricking people into downloading malicious software under the guise of popular apps. Victims included internal dissidents, opposition forces, ISIS advocates, people in the Kurdish minority in Iran, and more.

According to the researchers, hackers lured victims into installing a malicious application through multiple vectors, including an Iranian blog site, Telegram channels, and an SMS with a link to the malicious application. The malware planted could record calls, track locations, steal media videos and photos, and more.

The other group, known as Infy or “Prince of Persia,” spied on dissidents’ home and work PCs, extracting sensitive data after tricking targets into opening malicious email attachments. Researchers documented victims in 12 countries.

Researchers discovered fewer activities from Infy. One campaign used a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his alleged phone number.

Researchers said the technological abilities of Infy are “far superior to most other known Iranian campaigns, attacking only a handful of targets, and taking significant effort to go undetected and uninterrupted.”

“The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past — they simply don’t stop,” said Yaniv Balmas, head of research at Check Point. “These campaign operators simply learn from the past, modify their tactics, and go on to wait for a while for the storm to pass to only go at it again.”

Researchers have alerted law enforcement agencies in the US and Europe of their findings.