Telegram icon on smartphone showing Iranian hackers surveillance operation

Six-Year Surveillance Operation by Iranian Hackers Targeted Dissidents, Tracked Locations and Stole Personal Information

A six-year surveillance operation tied to state-sponsored Iranian hackers appears to have massively violated the privacy of expats and dissidents from the country, scooping up personal documents and tracking phone location data.

The espionage campaign honed in on known or suspected members of organizations that oppose the Iranian government; primarily the Azerbaijan National Resistance Organization, the Association of Families of Camp Ashraf and Liberty Residents (AFALR), and the Balochistan peoples of Pakistan and Afghanistan. Iranian hackers phished the computers of targets to steal victims’ personal information and made use of Android backdoors to penetrate phones, intercept text messages and track GPS location.

How Iranian hackers digitally monitor dissident groups

Dubbed “Rampant Kitten,” the surveillance operation was discovered and investigated by leading threat intelligence firm Check Point Research. The first incident was a malicious macro embedded in a Word document purporting to be from the Revolutionary Cannons, an Iranian anti-regime organization based in Albania. The malicious document targeted users of Telegram, the security-focused instant messaging app popular among dissident groups. It delivered a payload that would check the victim’s computer for a Telegram installation and upload files needed to take over the target account. It also combed the computer for certain file extensions and exfiltrated them all, copied the clipboard data, took desktop screenshots and stole information from the KeePass password manager (when present).

Dates of the files used in the malicious payload indicate that these attacks date back as far as 2014, though the methods used have evolved over time. The payload has gone through several changes which seem to have initiated in February 2018 and most recently updated this past June. Numerous individuals and groups appear to have been targeted with similar malicious macros embedded in Word documents during this time.

A separate Android backdoor was also deployed, in the form of a bogus app that purports to help Persian language speakers in Sweden to get a driver’s license. Once installed, the app created a backdoor that provided the Iranian hackers with a wide variety of information. Compromised phones had their SMS messages and contact information stolen, new messages forwarded to the attackers (including those protected with 2FA), voice recordings made and forwarded, and device information such as running apps and processes logged and exfiltrated. The backdoor also assisted the Iranian hackers in attempting to phish Google account credentials, periodically presenting the victims with a fake Google login page designed to look like the real thing.

The regime was also attempting to phish Telegram users without the use of payloads or backdoors, deploying a number of fake login pages with URLs similar to the legitimate site. A Telegram bot was used against targets of the surveillance operations, sending them a fake warning about account abuse and attempting to direct them to these bogus login pages.

Tracking the surveillance operation

The Check Point security researchers found a number of threads linking this surveillance operation back to Iranian hackers.

The first is the WHOIS registration information of some of the fake Telegram domains, which publicly listed Iranian individuals based in Tehran. Additionally, one of the registrant’s email addresses led to posts in Iranian hacking forums when the username was Googled.

The target selection also almost exclusively consists of organizations that are in declared opposition to the Iranian regime, such as the Mujahedin-e Khalq and the Azerbaijan National Resistance Organization which advocate for the liberation of minorities within the country. Iran is home to a wide variety of both ethnic and religious minority groups that collectively are estimated to make up about 35% to 49% of the country’s overall non-Persian population. In spite of these numbers and an Iranian constitutional guarantee of freedom of cultural expression, the UN General Assembly has noted that discrimination and human rights violations have persisted for decades in the country.

The KeePass theft functionality of the malicious payload also lines up with a malware alert issued by the FBI and CISA on September 15 warning of Iranian hackers using various types of malicious web shells. Though it is still unclear if there is a direct connection, the US also recently charged two Iranian nationals who had been living in New Jersey with a hacking spree believed to have been carried out in service to the Iranian government. The hackers targeted Iranian political dissidents and opponents of the regime located throughout the world using remote-access trojans and keyloggers as part of a similar surveillance operation.

Is 2FA safe from state-sponsored hackers?

While it is widely believed that state-sponsored groups such as the Iranian hackers have methods to defeat 2FA verifications, there is little real knowledge as to exactly how they do it. The insights into this surveillance operation provide a rare glimpse into these methods. As it happens, at least for the Iranian hackers, these threat actors seem to be focusing on bypassing these methods via various known OS and software/app exploits after gaining a foothold on target devices via a combination of malware and phishing.

Dates of the files used in the malicious payload indicate that #cyberattacks date back as far as 2014, though the methods used have evolved over time. #cybersecurity #respectdataClick to Tweet

Lotem Finkelsteen, Manager of Threat Intelligence at Check Point, provided some small amount of advice on appropriate defenses against the measures deployed in this surveillance operation: “After conducting our research investigation, a few things stood out. First, there’s a striking focus on instant messaging surveillance. Although Telegram is un-decryptable, it is clearly hijack-able. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of. Second, the mobile, PC and web phishing attacks are all connected to the same operation. Meaning, these operations are managed according to intelligence and national interests, as opposed to technological challenges. We will continue to monitor different geographies across the world to better inform the public around cyber security.”


Senior Correspondent at CPO Magazine