Iran’s Cyberwar Could Infiltrate Your Mailbox

Iran’s crackdown on protesters could affect almost anyone in contact with them, thanks to a sophisticated internal police operation that routinely targets not only academics and dissidents but also those who have interacted with them, and even people only tangentially linked. 

Cyber security firms and prominent researchers of Iranian digital espionage efforts say one government-backed group in particular, Infy, will likely continue to increase its attacks even after the current unrest ends.

The Iranian security forces use many of the same tactics that nation-state actors and criminal groups deploy against corporate and political victims, particularly spear phishing, basically, emails from a phony source that urge the recipient to click a link that downloads information-exfiltrating malware. But unlike common crooks, Tehran and its agents are constantly refining and improving their phishing emails.

The Infy group is highly adaptable and regularly attacks targets inside Iran and beyond its borders. The group, or at least some of its code, goes back to 2007, according to research by Palo Alto Networks.  That’s several years before Iran stepped up its cyber warfare capabilities in response to the 2010 revelation of the Stuxnet virus attack. Infy has since become one of the primary malware agents operating out of Iran, with a particular focus on Iranian civil society, according to a 2016 paper by researchers Colin Anderson and Claudio Guarnieri.

Unlike some other Iranian cyber actors who target foreign aerospace and military commercial interests, Infy focuses on individuals who may be a political threat to Iran’s leaders and the way they govern.  

“Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran,” write Anderson and Guarnieri.
“While the near majority of the victims are located in Iran, the remaining hosts are widely distributed around the world, with a higher concentration in the United States, Sweden, Germany and Iraq, locations with large Iranian diasporas or regional interests. Several compromised systems maintain a clear relationship to regional adversaries and foreign entities that Iran maintains an espionage interest in.”

Infy likes to send PowerPoint decks with malware embedded in the title slide. When clicked, they install software that Infy can use to log keystrokes and remove data. Interestingly, the group repeatedly used the name “Amin Jalali” to register the email addresses it uses in attacks. “The contact information on these domains have been updated in recent months with false identities attributed to Poland and India to masque the original registrant, however, the ownership and contact email remains the same,” they report.

Spear phishing is nothing new. But an intelligence service backed by the resources of a nation-state can make it far more effective. Anderson and Guarnieri document a slow and steady evolution in the sophistication and effectiveness of Infy attacks, moving from blank emails containing only files with provocative titles to tailored pitches aimed at specific individuals, primarily, Western media companies that might be in contact with dissidents. 

The level of impersonation grew significantly between the group’s early days and today. In 2016, “one message claimed to be from Mohammad Taghi Karroubi, the son of reformist politician Mehdi Karroubi who ran for presidency in the 2009 elections and has been under house arrest since February 2011,” they write.

Most important, Infy modifies its tactics once defenders sniff them out as Palo Alto’s Tomer Bar and Simon Conant documented within the past six months.

Defense One

You Might Also Read: 

Iran Turns Off The Internet:

Iran Responsible  For Cyber Attack On British Parliament:

Phishing Is  The Top Cyberattack Vector In 2017:

 

« Winter Olympics Targeted
Iran’s Cyber Capabilities »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Comiq

Comiq

Comiq provide software quality assurance, testing and project management services. Areas of expertise include cybersecurity.

Cybercrypt

Cybercrypt

Cybercrypt is a world leading system provider in robust cryptography. Protecting critical assets, applications and sensitive data.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

Black Kite

Black Kite

Black Kite (formerly NormShield) provides comprehensive Security-as-a-Service solutions focused on cyber threat intelligence, vulnerability management and continuous perimeter monitoring.

Privacy Analytics

Privacy Analytics

Privacy Analytics enables healthcare organizations to unleash the value of sensitive data for secondary purposes without compromising personal health information.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

SwiftSafe

SwiftSafe

SwiftSafe is a cybersecurity consulting company providing auditing, pentesting, compliance and managed security services.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

Industrial Defender

Industrial Defender

Committed to ICS Cybersecurity. Industrial Defender provides a fully automated solution to discover, track and report on assets across your ICS footprint.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

Kennedys

Kennedys

Kennedys is a global law firm with expertise in litigation/dispute resolution and advisory services, particularly in the insurance/reinsurance and liability sectors, including cyber risk.

Concorde Technology Group

Concorde Technology Group

Concorde Technology Group is one of the UK’s leading IT support and services providers, delivering cost-effective and innovative IT solutions to businesses across the country.

Trackd

Trackd

At trackd, we’re re-imaging vulnerability remediation for the benefit of the entire cyber security community. Automating Vulnerability Remediation without the Fear of Disruption.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.

DATS Project

DATS Project

DATS Project enables the utilization of high computing power across a number of cybersecurity services, all on a pay-as-you-go basis, eliminating the need for upfront investment costs.