Cybersecurity firm FireEye claims to have identified an Iranian hacking group which is attacking telcos around the world.
FireEye exposed the group called ‘APT39’ last month. APT39’s main goal appears to be stealing personal information.
According to FireEye, this goal makes APT39 somewhat unique. Other Iranian hacking groups tracked by the cybersecurity firm are linked to influence operations, disruptive attacks, and other threats.
In a blog post, FireEye wrote:
“APT39 likely focuses on personal information to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns.”
APT39 primarily uses the backdoors known as ‘CACHEMONEY’ and ‘SEAWEED’ in addition to a variant of the ‘POWBAT’ backdoor.
The group focuses on targets in the Middle East but has been linked to countries elsewhere in the world. Perhaps to be expected, the US is among its targets.
FireEye has produced the following map showing countries APT39 is linked with:
Considering APT39’s goal of collecting personal data and espionage, it’s of little surprise telcos are its main target. Others sectors targeted include the ‘high-tech’ and travel industries.
FireEye has ‘moderate confidence’ APT39 is working to advance Iranian state interests.
In a sheer coincidence, US intelligence officials unveiled their latest ‘Worldwide Threat Assessment’ today. The report states Iran continues to "present a cyber espionage and attack threat" to the US and its allies.
"Iran uses increasingly sophisticated cyber techniques to conduct espionage; it is also attempting to deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries," the report warns.
Tensions between Iran and the US are strained over President Trump’s decision to withdraw from the Iran nuclear deal and reimpose sanctions. Given the breakdown in relations, it’s unlikely the cyber threat from Iran will cease anytime soon.
Last week, Iran-linked hackers took advantage of the US government’s record-long shutdown to launch a cyberattack.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.