Iranian Government Hackers Spy On Dissidents

Uploaded on 2020-10-09 in INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Many countries spy on their populations via mobilr apps and now Check Point Research has uncovered Rampant Kitten, an Iranian hacker group that has monitored and spied on Iran’s government political opponents for years. Rampant Kitten has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The hackers use malware disguised as Android applications via the target’s mobile phone or computer. This malware can focus on any service and it targets Google, Telegram and other major Internet or social services.

The thinking is that Rampant Kitten operators would use the Android Trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account. Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations, and resistance movements. 

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organisation, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

The attackers first use a phishing Trojan to collect login details, and then try those with the real site. If the victim has two-factor authentication turned on, the newly-reported malware intercepts the incoming SMS messages and quietly sends copies to the intruders.

The code also has tools to grab contacts, text message logs and even microphone audio, but it’s unusually centered around two-factor data. It has so far been found in an app pretending to help Persian speakers in Sweden get driver’s licenses, but it might be available in other apps.

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites, operated by the same group. Some of these websites hosted phishing pages impersonating Telegram.

Surprisingly, this phishing attack seems to have been known to Iranian Telegram users as several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups.

It seems almost certain that this is another example of Iranian threat actors, quite possibly with some affiliation to the Iranian regime, collecting intelligence on potential opponents to the regime. 

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Check Point Research:      Arab News:     Security Week:      ZDNet:        Engadget

You Might Also Read:

New Iranian Ransomware Groups Detected:

 

 

« Facebook Too Slow At Removing Fake News
Australia Wants Google & Facebook To Pay For News »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

SABSACourses

SABSACourses

SABSA is a development process used for solving complex problems such as IT Operations, Risk Management, Compliance & Audit functions.

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

Sandline Discovery

Sandline Discovery

Sandline Discovery provides digital forensics, eDiscovery solutions, managed review and litigation consulting services.

MaskTech

MaskTech

MaskTech supplies highest security embedded chipsets, operating systems and related middleware for electronic identification cards, travel documents and authentication solutions.

Netrix

Netrix

Netrix is a Mexican company specialized in IT Security, with more than 18 years of experience in Managed Services, Professional Services and Turnkey Solutions related to Security.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

Montimage

Montimage

Montimage develops tools for testing and monitoring networks, applications and services; in particular, for the verification of functional, performance (QoS/QoE) and security aspects.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

Clario Tech

Clario Tech

Clario is a simple, comprehensive, personalized protection app. It comes with a full suite of intelligent security software and intelligent people to help you live a better, safer digital life.

Leidos

Leidos

Leidos is a recognized leader in cybersecurity across the federal government, bringing more than a decade of experience defending cyber interests globally.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Convergence Networks

Convergence Networks

Convergence Networks is one of North America's leading Managed Services & Security Providers.

InfoSecTrain

InfoSecTrain

InfoSecTrain are a leading training and consulting organization dedicated to providing top-tier IT security training and information security services to organizations and individuals across the globe

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.