Hacking campaigns reveal Iranian attacks on dissidents

Iran-backed groups are targeting peoples’ mobile phones and PCs with sophisticated spyware

three blocks in front of falling binary code

Security researchers have found that Iran-backed hacking groups are actively spying on the Tehran government’s critics.

Check Point Researchers discovered the hackers and said there was evidence of two ongoing Iran-backed cyber-surveillance operations against suspected dissidents within Iran and 12 other countries, including the UK, US, Pakistan, Afghanistan, Turkey, Germany, Holland, Sweden, and others.

They said these operations have targeted over 1,200 people and remain active. The Iran-backed groups target peoples’ mobile phones and PCs with sophisticated spyware to collect sensitive data, including call recordings, messages, and locations.

One group, known as APT-C-50 or “Domestic Kitten,” spies on dissidents’ mobile phones, tricking people into downloading malicious software under the guise of popular apps. Victims included internal dissidents, opposition forces, ISIS advocates, people in the Kurdish minority in Iran, and more.

According to the researchers, hackers lured victims into installing a malicious application through multiple vectors, including an Iranian blog site, Telegram channels, and an SMS with a link to the malicious application. The malware planted could record calls, track locations, steal media videos and photos, and more.

The other group, known as Infy or “Prince of Persia,” spied on dissidents’ home and work PCs, extracting sensitive data after tricking targets into opening malicious email attachments. Researchers documented victims in 12 countries.

Researchers discovered fewer activities from Infy. One campaign used a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his alleged phone number. 

Researchers said the technological abilities of Infy are “far superior to most other known Iranian campaigns, attacking only a handful of targets, and taking significant effort to go undetected and uninterrupted.”

“The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past — they simply don’t stop,” said Yaniv Balmas, head of research at Check Point. “These campaign operators simply learn from the past, modify their tactics, and go on to wait for a while for the storm to pass to only go at it again.”

Researchers have alerted law enforcement agencies in the US and Europe of their findings.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
PayPal looks to block hate group funding
Security

PayPal looks to block hate group funding

26 Jul 2021
Criminals target Discord to spread malware
live chat

Criminals target Discord to spread malware

26 Jul 2021
Nine traits you need to succeed as a cyber security leader
Whitepaper

Nine traits you need to succeed as a cyber security leader

26 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021