Iran’s Cyberwar Could Infiltrate Your Mailbox

Iran’s crackdown on protesters could affect almost anyone in contact with them, thanks to a sophisticated internal police operation that routinely targets not only academics and dissidents but also those who have interacted with them, and even people only tangentially linked. 

Cyber security firms and prominent researchers of Iranian digital espionage efforts say one government-backed group in particular, Infy, will likely continue to increase its attacks even after the current unrest ends.

The Iranian security forces use many of the same tactics that nation-state actors and criminal groups deploy against corporate and political victims, particularly spear phishing, basically, emails from a phony source that urge the recipient to click a link that downloads information-exfiltrating malware. But unlike common crooks, Tehran and its agents are constantly refining and improving their phishing emails.

The Infy group is highly adaptable and regularly attacks targets inside Iran and beyond its borders. The group, or at least some of its code, goes back to 2007, according to research by Palo Alto Networks.  That’s several years before Iran stepped up its cyber warfare capabilities in response to the 2010 revelation of the Stuxnet virus attack. Infy has since become one of the primary malware agents operating out of Iran, with a particular focus on Iranian civil society, according to a 2016 paper by researchers Colin Anderson and Claudio Guarnieri.

Unlike some other Iranian cyber actors who target foreign aerospace and military commercial interests, Infy focuses on individuals who may be a political threat to Iran’s leaders and the way they govern.  

“Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran,” write Anderson and Guarnieri.
“While the near majority of the victims are located in Iran, the remaining hosts are widely distributed around the world, with a higher concentration in the United States, Sweden, Germany and Iraq, locations with large Iranian diasporas or regional interests. Several compromised systems maintain a clear relationship to regional adversaries and foreign entities that Iran maintains an espionage interest in.”

Infy likes to send PowerPoint decks with malware embedded in the title slide. When clicked, they install software that Infy can use to log keystrokes and remove data. Interestingly, the group repeatedly used the name “Amin Jalali” to register the email addresses it uses in attacks. “The contact information on these domains have been updated in recent months with false identities attributed to Poland and India to masque the original registrant, however, the ownership and contact email remains the same,” they report.

Spear phishing is nothing new. But an intelligence service backed by the resources of a nation-state can make it far more effective. Anderson and Guarnieri document a slow and steady evolution in the sophistication and effectiveness of Infy attacks, moving from blank emails containing only files with provocative titles to tailored pitches aimed at specific individuals, primarily, Western media companies that might be in contact with dissidents. 

The level of impersonation grew significantly between the group’s early days and today. In 2016, “one message claimed to be from Mohammad Taghi Karroubi, the son of reformist politician Mehdi Karroubi who ran for presidency in the 2009 elections and has been under house arrest since February 2011,” they write.

Most important, Infy modifies its tactics once defenders sniff them out as Palo Alto’s Tomer Bar and Simon Conant documented within the past six months.

Defense One

You Might Also Read: 

Iran Turns Off The Internet:

Iran Responsible  For Cyber Attack On British Parliament:

Phishing Is  The Top Cyberattack Vector In 2017:

 

« Winter Olympics Targeted
Iran’s Cyber Capabilities »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

CloudHesive

CloudHesive

CloudHesive provides cloud solutions through consulting and managed services with a focus on security, reliability, availability and scalability.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

Jetico

Jetico

Jetico provides pure & simple data protection software for all sensitive information throughout the lifecycle. Solutions include data encryption and secure data erasure.

Military Cyber Professionals Association (MCPA)

Military Cyber Professionals Association (MCPA)

MCPA are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.

PRODAFT

PRODAFT

PRODAFT, Proactive Defense Against Future Threats, is a cyber security and cyber intelligence company providing solutions to commercial customers and government institutions.

Griffiss Institute (GI)

Griffiss Institute (GI)

GI's primary role is to advocate and facilitate the co-operation of private industry, academia, and the Air Force Research Laboratory in developing solutions to critical cyber security problems.

BIO-key

BIO-key

BIO-key is a pioneer and innovator, we are recognized as a leading developer of fingerprint biometric authentication and security solutions.

Secuvant

Secuvant

Secuvant is an independent IT Security firm providing enterprise-grade IT security services to mid-market organizations.

stackArmor

stackArmor

stackArmor specializes in compliance and security-focused solutions delivered using our Agile Cloud Transformation (ACT) methodology.

Bright Pixel Capital

Bright Pixel Capital

Bright Pixel Capital is a venture capital company with a focus on Cybersecurity, Retail Technologies, Digital Infrastructure and Emerging Technologies.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Multipoint Group

Multipoint Group

Multipoint is an information security and protection solutions company operating in the South EMEA region through value-added distribution channels.

Center for Cyber Security Studies & Research (CFCS2R)

Center for Cyber Security Studies & Research (CFCS2R)

CFCS2R's mission is to empower individuals, organizations, and governments with the knowledge and tools necessary to protect against cyber threats.