A group of Iranian hackers believed to have ceased operations has renewed its activity, researchers at Check Point said Tuesday. They claim that computers across the world were infected with malicious software that allows attackers to record their victims’ screens and audio.
The group, called Infy or Prince of Persia, was discovered in 2007 and was active for about ten years. At the time, a massive operation by the hackers targeted firms in the United States and in Israel, as well as Danish diplomats, and was revealed by cybersecurity firm Palo Alto Networks. The firm worked to take down the so-called advanced persistent threat, or APT – an industry term for state-sponsored hackers – and Infy has been dormant since.
But new research published on Tuesday by Check Point and SafeBreach Labs reveals that the group, considered one of Iran’s earliest, has “renewed activity.” Researchers said that “following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities.”
In the world of cyber security, OPSEC – or “operational security” – is the attempt to conceal an attack, and is a form of tradecraft usually reserved for state actors. Criminal hackers are rarely concerned about covering their tracks, while government actors work to hide them.
In the past, the hacker group has focused on Iranian dissidents and critics of the regime, and is continuing to do so, Yaniv Balmas, head of cyber research at Check Point, told Haaretz.
The group was particularly active during the 2013 Iranian presidential elections, when it targeted journalists and what researchers described as “civil society members and activists.” The group then toned down its activities until it resurfaced in 2016, when it targeted Israeli and U.S. targets, as well as Danish diplomats, in an attack called Operation Mermaid.
The same software has now resurfaced. While earlier versions of the malware worked by tricking users into clicking a link that would run a program on their computer, the new version of the nefarious program has changed its delivery mechanism. Victims are now sent a document in Persian with information about Iranian officials – one that would interest dissidents and critics of the government. The victim opens the document, and after they close it, it runs a program that downloads the actual virus and installs it on the victim’s computer. Once infected, the program can record the user’s screen and even remotely operate their microphone, thus giving the Iranian hackers access to a trove of information.
CheckPoint told Haaretz they have found over 1.5 gigabytes of personal information, documents, audio and video recordings stolen during the new operation in 2020. The majority of the victims are in northern Europe: The highest number hail from Sweden and the Netherlands, followed by the United States and Turkey. In a number of states, including India, Iraq, the United Kingdom, Russia, Germany and Canada, only one infected system has been found thus far. Check Point did not share the actual materials the hackers stole with Haaretz, citing privacy concerns of the victims.
Balmas, who was involved in the research, explains that though the campaign had a relatively small number of victims, Infy’s return by itself “raises the level of potential threat they pose, and shows how determined the Iranians are to use the tools and forces they have at their disposal.” He added that there very well may be other, unknown, victims.
While earlier Infy campaigns also included Israeli targets, the new operation did not. Balmas explained that it is actually “not surprising there are no Israeli victims, because the focus of this group is attacking Iranian dissidents, and there are none of those in Israel, but quite a few of them in Iran, Europe and the United States.”
He added that most of the recent victims were civilians, “usually those affiliated with dissident activity or close to critics of the regime. Usually these are Iranian expats in the United States or Europe, but past research into the group has shown they also target diplomats and even journalists across the globe.”
Source » haaretz