U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

Posted by & filed under Security News.

The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country’s Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.

According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group APT39 (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran’s national security objectives.

To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U.S. companies from doing business with Rana and its employees.

“Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran’s Ministry of Intelligence and Security (MOIS) has employed a years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, the government networks of Iran’s neighboring countries, and foreign organizations in the travel, academic, and telecommunications sectors,” the FBI said.

Rana is also believed to have targeted Iranian private sector companies and academic institutions, including Persian language and cultural centers inside and outside the country.

 

APT39’s Long History of Espionage Activities

Earlier this May, Bitdefender uncovered two cyberattacks directed against critical infrastructures in Kuwait and Saudi Arabia, compromising its victims via spear-phishing emails containing malicious attachments and using various intrusion tools to gain an initial foothold and collect sensitive data from infected systems.

APT39 has a history of hacking into targets spanning over 30 countries in the Middle East, North Africa, and Central Asia, and at least 15 U.S. companies in the travel sector have been compromised by Rana’s malware, using the unauthorized access to track the movements of individuals whom MOIS considered a threat.

Aside from formally connecting the activities of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion and reconnaissance activities, which comprises of:

  • Microsoft Office documents laced with Visual Basic Script (VBS) malware sent via social engineering techniques
  • Malicious AutoIt malware scripts embedded in Microsoft Office documents or malicious links
  • Two different versions of BITS malware to aggregate and exfiltrate victim data to an actor-controlled infrastructure
  • A screenshot and keylogger utility that masqueraded as legitimate Mozilla Firefox browser
  • A Python-based downloader to fetch additional malicious files to the victim machine from a command-and-control (C2) server
  • An Android implant (“optimizer.apk”) with information-stealing and remote access capabilities
  • “Depot.dat” malware for collecting screenshots and capturing keystrokes and transmitting the information to a remote server under their control

 

A Series of Charges Against Iranian Hackers

The sanctions against APT39 is the latest in a string of actions undertaken by the U.S. government over the last few days against Iran, which also encompasses charges against three hackers for engaging in a coordinated campaign of identity theft and hacking on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) to steal critical information related to U.S. aerospace and satellite technology companies.

Last but not least, the Cybersecurity Security and Infrastructure Security Agency (CISA) warned of an Iran-based malicious cyber actor targeting several U.S. federal agencies by exploiting unpatched VPN vulnerabilities to amass sensitive data and even sell access to the compromised network infrastructure in an online hacker forum.

“This week’s unsealing of indictments and other disruptive actions serves as another reminder of the breadth and depth of Iranian malicious cyber activities targeting not only the United States, but countries all over the world,” John C. Demers, Assistant Attorney General for National Security, said in a statement.

“Whether directing such hacking activities, or by offering a safe haven for Iranian criminal hackers, Iran is complicit in the targeting of innocent victims worldwide and is deepening its status as a rogue state.”

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.