London, 13 Sep – Cyber security firm Check Point has recently uncovered an extensive attack that has been targeting Iranians citizens and Kurdish residents since 2016.
The hackers are creating malicious applications – an ANF Kurdistan news agency app and a fake version of the messaging app, Vidogram – infected with spyware to collect sensitive data, that unwitting victims download onto their mobile phones.
Information collected includes: contact lists, call records, clipboard content, application list, SMS messages, browser history, bookmarks, geo-location, photos, surrounding voice recordings and more. It is believed that the information will be leveraged at a later point for the hackers to take further action against them.
Who is responsible for the attacks?
It’s hard to say who is behind the attacks, but based on the targets, the nature of the apps and the attack infrastructure Check Point believes that the attack is coming from Iran and, after discussions with intelligence experts, from Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, and Ministry of Interior, among others.
They wrote: “When most of the victims are actually Iranian citizens, it raises more pertinent questions about who may be behind the attack. Due to the attack infrastructure and its consistency with previous investigations of state-sponsored Iranian operations covered by Check Point researchers, we were led to believe that Iranian government agencies may well be behind the campaign.”
They came to this conclusion, because Iran frequently targets those who it considers a threat to the government, including Iranians advocating for political change, Kurdish people demanding their Rights, or Western groups who support these causes.
This type of cyber operation is not at all uncommon for Iran, who prefer to use cyber attacks (and proxy groups) to attack their enemies in a sort of asymmetric warfare, to protect the mullahs from harm and give them plausible deniability.
How many victims are there?
Check Point is still investigating the cyber threat that they named ‘Domestic Kitten’, but they have revealed that there are at least 240 victims so far, with 97% of them being Iranian. However, a significant number of victims from Afghanistan, Iraq and Great Britain were also found.
However, Check Point believes that the actual number is much higher as the attackers can harvest contacts on the phones of all victims, as well as store their call and SMS data.
They wrote: “The private information of thousands of totally unrelated users has also been compromised.”