New evidence reveals Iranian Government continues to invest in surveillance and cyber-operations on regime dissidents
February 2021 by Check Point
Check Point Research (CPR) recently conducted investigations into two known Iranian cyber groups which showed the Iranian government continues to surveil and attack dissidents of the regime, in Iran and abroad. The first cyber-group, known as APT-C-50, spies on the mobile phones of dissidents, collecting phone call recordings, messages, pictures and GPS data. In a campaign dubbed “Domestic Kitten”, APT-C-50 targeted over 1200 individuals living in seven countries, with over 600 successful device infections.
The second group, known as Infy, spies on the PCs of dissidents, extracting sensitive data from home and business computers after tricking targets into opening malicious email attachments. With the help of researchers at SafeBreach, CPR has exposed a recent Infy campaign that targeted dissidents in 12 countries. Both campaigns, Domestic Kitten and Infy, are still live and ongoing.
Domestic Kitten spies on mobile phones by using guises of popular apps CPR first revealed the Domestic Kitten operation in 2018. Now, CPR has uncovered the full extent of Domestic Kitten’s extensive surveillance operation against Iranian citizens. Since 2017, the Domestic Kitten campaign has consisted of 10 unique campaigns, four of which are currently active today, with the most recent campaign beginning in November 2020.
In these campaigns, victims are lured into installing a malicious application through multiple vectors, including an Iranian blog site, Telegram channels, or by SMS with a link to the malicious application. The capabilities of the Domestic Kitten malware, which CPR researchers call ‘FurBall’ include: call recording, surround recording, location tracking, collecting device identifiers, grabbing SMS messages and call logs, stealing media files like videos and photos, obtaining a list of installed applications, and stealing files from the external storage.
FurBall uses a variety of covers to disguise its malicious intentions. Disguises identified by CPR researchers include:
• VIPRE Mobile Security – A fake mobile security application _• ISIS Amaq – A news outlet for the Amaq news agency _• Exotic Flowers – A repackaged version of a game from Google Play
• MyKet – An Android application store
• Iranian Woman Ninja – A wallpaper application
• Mohen Restaurant application – a restaurant in Tehran
Domestic Kitten has targeted over 1200 individuals, with over 600 successful device infections, in seven countries: Iran, United States, Great Britain, Pakistan, Afghanistan, Turkey, and Uzbekistan. Victims include internal dissidents, opposition forces, ISIS advocates, people in the Kurdish minority in Iran, and more.
Infy spies on PCs by getting users to download email attachments Check Point and SafeBreach researchers found evidence of renewed activity of Infy, a cyber campaign that has been in intermittent operation since 2007. Infy’s most recent activity targets PCs by sending fake emails with attractive content, usually with an attached document. Once the document is opened, the Infy spying tool is installed on the victim PC, resulting in theft of sensitive data from the computer.
Two example documents recently used by Infy include a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his alleged phone number. The second document, also in Persian, contains the logo of ISAAR, the Iranian government-sponsored Foundation of Martyrs and Veterans Affairs which provides loans to disabled veterans and families of martyrs.
According to researchers, the technological abilities of Infy are far superior to most other known Iranian campaigns, attacking only a handful of targets, and taking significant effort to go undetected and uninterrupted.
Check Point head of cyber research, Yaniv Balmas said: “It is clear that the Iranian government is investing significant resources into cyber-operations. While both of the campaigns highlighted in our research were previously known, we managed to find new and recent evidence of their activity. The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though both campaigns had been revealed and even stopped in the past – they have simply restarted. The campaign operators learned from the past, modified their tactics, waited for a while for the storm to pass to only go at it again.
“In our research, we revealed several new techniques used by these campaigns for the very first time, some more advanced than others, but all previously unknown. All in all, I believe our latest research shows us the dangerous power of cyber-attacks when used by governments and how relevant it can be to all of us as individuals, teaching us all the importance of being constantly alert when using our mobile phones, home computers – or frankly any electronic device.”
Researchers have alerted law enforcement agencies in US and Europe on their findings.