Iranian APT Believed to Be Targeting Citizens

A state-sponsored mobile surveillance operation, similar in pattern to previous operations launched by the Iranian government against individuals, has been identified by researchers at Check Point.   

The researchers have uncovered a mobile-based attack targeting Iranian citizens that operates with such a low profile it has flown under the radar of detection since 2016. The attack patterns are similar to other Iranian APT (advanced persistent threat) attacks, and researchers have dubbed this latest discovery “Domestic Kitten,” keeping in line with both “Rocket Kitten” and “Charming Kitten.” Applying the kitten term is reportedly a reflection of a low level of respect for the group's hacking methods.

The attack uses fake, decoy content to entice its targets into downloading mobile applications which are loaded with spyware. According to researchers, the malicious Android mobile apps include an ISIS-branded wallpaper changer, which apparently targets advocates of the terrorist organization.

In addition, a fake "update" app from the legitimate ANF Kurdistan News attempts to deceive targets with specious content. The content offered by the application suggests that the targets are the Kurdish ethnic group. Additionally, the actors have also used a fake version of the Vidogram messaging app.

These apps collect sensitive information about the targeted people, collecting data from the targets’ mobile devices which includes contact lists, phone call records, SMS messages, web browser histories and bookmarks, geolocation of the victim, photos, voice recordings and more.

The highly targeted individuals reportedly include Kurdish and Turkish natives and ISIS supporters. One of the strongest commonalities among the attacks is that the majority of the nearly 240 people identified are Iranian citizens.

While researchers have not identified the exact actors behind the attack, they have determined through their observations that the nature of the apps and the attack infrastructure appear to be the work of Iranian actors.

“Such surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime, including internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” researchers wrote.

What’s Hot on Infosecurity Magazine?