- Malware and phishing related attacks linked to a private group based in the city of Mashhad called Andromedaa.
Dubai: Iranian hackers have been secretly gathering intelligence on potential opponents to the Iranian regime for years, breaking into cellphones and computers, stealing their private and secure communications via Telegram and other social networks.
According to cybersecurity firm Check Point Software Technologies and Miaan Group, a human rights organisation that focuses on digital security in the Middle East, they targeted Iranian minorities, anti-regime organisations and resistance movements such as Association of Families of Camp Ashraf and Liberty Residents (AFALR); Azerbaijan National Resistance Organisation and Balochistan citizens.
The majority of targets were from Iran’s ethnic and religious minority communities, including Turks, Sufi Muslims, and Sunni Arabs.
Check Point’s report revealed that a large-scale operation managed to remain under the radar for at least six years.
Regardless of the encrypted, secure coding, and even the most modern security infrastructure based on concepts like zero trust, Morey Haber, CTO and CISO at BeyondTrust, told Tech Channel News that if a threat actor has users credentials, they are at a high risk of being compromised.
“To that end, social engineering attacks are the easiest way for a threat actor to obtain even the most complex passwords, and even with security layers like two-factor authentication, an individual can be compromised and their resources owned,” he said.
The recent breach affecting Twitter has proven that if a threat actor can operate within an organisation (or targeting an individual), he said that security and monitoring layers can be circumvented to conduct the threat actors nefarious mission.
“It is unknown, however, how the Iranian hacker group has infiltrated these communication applications. Are they operating on the inside, similar to the attack against Twitter? Have they compromised cellular and WiFi infrastructure and can monitor communications like a man-in-the-middle attack?
Nothing is 100% safe
“Or, have they been able to target key individuals and obtain their credentials via the techniques described above? The attack is broad and affects mobile devices and regular computers. This implies that the technique is more than a simple application-based vulnerability and could be a compromise of other applications commonly loaded on devices and used for lateral movement to target the messaging applications,” he said.
If true, he said this would be akin to sideloading an application using a legitimate process and obfuscating code within it for surveillance.
“While this sounds far-fetched, even the strictest application stores such as Apple, have made mistakes allowing malware onto devices. One thing is clear and should be remembered by everyone. No electronic communication system or security solution is 100 per cent effective from being compromised,” he said.
By design, some have a much lower risk but if credentials for the application are stolen, he said that there is always an entry point using what is normally considered a valid front door for application access. And, even with that, he added that malware and other attack vectors can create backdoors to obtain the necessary access for illegitimate purposes too.
Since early 2018, Miaan researchers have been tracking malware used in a series of cyberattacks on Iranian dissidents and activists and has uncovered hundreds of victims of malware and phishing attacks that stole data, passwords, personal information, and more.
Targeting specific groups
The research was initiated by a report published in February 2018 by the Centre for Human Rights in Iran (CHRI) describing how this malware targeted the web-administrator of Majoban Noor, the news website for Iran’s Nematollahi Gonabadi Sufi order.
Over two years later in June 2020, it became apparent that the malware and phishing related attacks were linked to a private group based in the city of Mashhad called Andromedaa.
Andromedaa had been using the same command-and-control server as the attackers and had registered several website domains used for phishing and malware distribution.
Investigation revealed that there are two main people behind Andromedaa – Homayoon Zohoorian Ghanad and Mohammad Reza Sabeti Baygi.
Sabeti Baygi has two apps on the Apple store associated with Andromedaa.
In December 2017, Ghanad’s website, which featured many of Andromedaa’s applications, was all but deactivated and he then registered a new company. It seems he started to clear his footprint from the Internet.
However, based on the information from https://web.archive.org/, he confirmed on his website that he was working for Andromedaa and listed Andromedaa’s applications as samples of his work.
Some of Andromedaa’s activities were independently identified by Talos Intelligence and the Centre of Iranian National Computer Emergency Response Team (Maher).
Miaan researchers noticed a pattern that the attacks were repeatedly targeting political activists, journalists, human rights defenders, lawyers, student activists, and others.
The targeting of specific groups along with other suspicious aspects of the hacking efforts points to a state-sponsored program. However, as reported by Maher and Andromedaa also developed broad phishing and malware tools that targeted the general public of Iranian internet users.
According to industry experts, China has the most number of active APTs and threat actor groups when compared to other countries, followed by Russia, Iran and North Korea.