Two Iranian hacking groups appear to be actively snooping on critics around the globe

A protest for Iranian regime change near the White House in 2017. (Geoff Livingston / Flickr)


Written by

Two suspected Iranian government-connected hacking groups are actively spying on dissidents around the world in renewed eavesdropping campaigns, researchers said in reports out Monday morning.

One of the groups, known as Domestic Kitten or APT-C-50, notched victims in seven countries, Check Point Research found: Iran, the U.S., the U.K., Pakistan, Afghanistan, Turkey,and Uzbekistan.

The other, known as Infy or Prince of Persia, snooped on dissidents in 12 countries, Check Point found in joint research with SafeBreach. Both companies were founded in Israel, which counts Iran as one of its chief nemeses. The U.S. also counts Iran among the handful of its biggest adversaries in cyberspace.

Check Point has reported on both groups in the past, but the the company said its research uncovered new activity and fresh techniques.

“The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past — they simply don’t stop,” said Yaniv Balmas, head of research at Check Point. “These campaign operators simply learn from the past, modify their tactics, and go on to wait for a while for the storm to pass to only go at it again.”

Domestic Kitten’s directed its hacking efforts at both mobile phone and personal computers, and the researchers documented at least 1,200 attempts.

Check Point found instances of the group luring victims into installing a malicious application through means as far flung as Telegram channels, text messages, using covers like an app for a restaurant in Tehran or a wallpaper app. Domestic Kitten’s malware has capabilities to record calls, track locations, steal media videos and photos and more.

The researchers uncovered less total activity from Infy: 24 victims in all, but in a wider array of nations. Infy, too, focused on PCs, using lure documents like one that contains a photo of a city leader in Iran and his alleged phone number.

Previously, researchers saw Infy-deployed malware nicknamed foudre, French for “lightning.” Tonnere, French for “thunder,” is an upgrade, said Tomer Bar, research team manager for SafeBreach.

“[Tonnerre] is their latest malware improvement to the Infy malware family that allows the [Iranians] to achieve intimate intelligence about their targets, including voice recording from the environment around the victim’s laptop,” Bar said via email.

The research jibes with other companies’ work on the modi operandi of Domestic Kitten and Infy alike.

“It is unequivocally clear that the Iranian government is investing significant resources into operations in its cyber space,” Balmas said.

-In this Story-

APT-C-50, Check Point, Domestic Kitten, Infy, Iran, SafeBreach