Iran has been operating two cybersurveillance campaigns through malicious apps offering wallpaper, games and restaurant access that have targeted more than 1,000 dissidents across 12 different countries, a cybersecurity company reported this week.
The Tel Aviv-based firm Check Point said Iran’s cybersurveillance operations have included new spyware-installing methods on the targets’ devices, according to a report by BBC. Check Point further revealed credible evidence that the operations stole call recordings and media files belonging to the targets.
Domestic Kitten, or APT-50, is one of the groups that allegedly deceive the targets into downloading malicious software onto their devices by various methods. These methods have included repackaging an existing game application in the Google Play Store, forging an application by impersonating a restaurant in Tehran, offering a fake mobile-security application, providing a compromised application that publishes articles from a local news agency, offering infected wallpaper containing pro-Daesh imagery, and mimicking an Android application store to download other software.
The researchers at Check Point reported over 1,200 victims from seven different countries who were targeted by the operation, with 600 successful infections.
Check Point first identified evidence of Domestic Kitten’s operation in 2018. The firm has documented at least 10 campaigns since 2017. Four of the campaigns are reportedly still active, with the most recent being documented at the beginning of November.
Domestic Kitten reportedly used an Iranian blog site, Telegram channels and text messages to trick people into installing infected software, dubbed Furball by researchers. The infected software was able to record calls and other sounds, track locations, collect device identifiers, collect text messages and call logs, extract media files such as videos and photos, obtain a list of other installed applications and extract external storage data.
Domestic Kitten’s targets included dissidents ad opposition forces in seven different countries including Iran, the U.S., the U.K., Pakistan, Afghanistan, Turkey and Uzbekistan.
The second group, called Infy, or Prince of Persia, has reportedly spied on targets in 12 different countries and extracted their data since it began in 2007. Their methods have included malicious email attachments sent to their targets’ home and work devices.
Infy’s most recent activity has been focused on accessing its devices, sending them attractive emails with attached documents that, when opened, install a spying device and extract sensitive data.
The content of the email is alluring. For example, Check Point identified one scheme involving an email with an attached document apparently offering loans to disabled veterans.
Another recent scheme involved a photo of an Iranian governor with alleged contact details.
Infy’s operation is "far superior" than previously known Iranian campaigns, the researchers said. Not only is Infy generally undetected, but it is also highly selective with its targets.
"It is clear that the Iranian government is investing significant resources into cyber-operations," said Yaniv Balmas, the head of Check Point cyber research.
Balmas claimed that Iranian "cyber-espionage campaigns seem to be completely unaffected" by interruptions of counter-activities, leaks, and efforts to reveal and end them."
"They have simply restarted," he said.
The Iranian government has not responded to the report.
As relations between Tehran and the West soured after the European Union and the U.S. reimposed sanctions on Iran in 2019, the EU digital security agency waned Iran was likely to expand its cyber espionage activities.
In 2018, the U.S. charged nine Iranians and an Iranian company with attempting to hack into hundreds of U.S. and international universities, dozens of companies and parts of the U.S. government on behalf of the Tehran government.