Iran appears to be broadening its presence in cyberspace, stealing information that would allow its cyber spies to monitor and track key political and business officials.
As part of this growing focus, Iranian-linked cyber actors are using phishing emails and stolen credentials to infiltrate telecommunication companies and the travel industry in order to steal personally identifiable information they can use in future operations.
The main culprit, according to a report released Tuesday by cybersecurity firm FireEye, is a group known as Advanced Persistent Threat 39, or APT 39. Active since 2014, FireEye maintains the group has been working “in support of Iranian national interests,” showing an ability to hits targets across the Middle East and beyond.
“APT 39’s focus on the widespread theft of personal information sets it apart from other Iranian groups,” the report said, warning the activity “showcases Iran’s potential global operational reach.”
“They are targeting a number of telecommunication and information technology entities and really going after just large amounts of PII [personally identifiable information],” said FireEye Senior Analyst Cristiana Kittner.
“Once in the network, they’re looking at phone logs and employee records and airline records,” she added. “Our assessment is that the PII is being stolen both for general surveillance as well as for specific targets, including high profile people and potentially political individuals and those that have significant roles in strategic affairs related to the country.”
Kittner said APT 39 has even gone after visa and passport information, searching through keystroke logs to try to get what it wants.
And while most of the companies that have been targeted by APT 39 are in the Middle East — Saudi Arabia, Iraq, Egypt, Turkey and the United Arab Emirates – the group’s pursuit of telecommunications and travel industry data have led it further afield. Companies in Norway, South Korea, Australia and the United States may also have been affected.
The report from FireEye follows similar warnings from other cybersecurity firms, which have increasingly voiced concern about Iranian-linked cyber actors targeting the telecommunications and travel sectors. And there is likely to be debate over just how new APT39 may be.
Much of APT 39’s activity aligns with that of the Iranian-based cyber group known as Chafer, which was identified by the cybersecurity firm Symantec in 2015, and which has also focused on the telecommunications, travel and IT industries.
“Chafer has become notably more ambitious,” Symantec told VOA in a statement. “Over the past two years, the group moved their attacks up the supply chain in the industries they typically target, and these supply chain attacks may allow Chafer to reach a broader set of victims in each industry they target.”
Other experts and analysts worry advances by APT 39 and Chafer show that Tehran, already a formidable actor in cyberspace, has further refined its cyber espionage doctrine and will soon find more ways to use cyber spying to gain an advantage, economically and politically.
“Iran’s leveraging these capabilities in order to identify suppliers…where they’re shipping certain things to,” said David Kennedy, the chief executive officer at the IT security consulting firm TrustedSec. “They may have the ability to snag individuals or pick them up.”
“The methods that they use are very effective for going against a lot of different companies,” added Kennedy, who previously served with the U.S. National Security Agency and with the Marine Corps electronic warfare unit.
European officials, meanwhile, worry that this is just the start, and that Iranian cyber actors are only going to get more ambitious as the U.S. and Western powers increase pressure on Tehran in response to its missile tests and nuclear activity.
“Newly imposed sanctions on Iran are likely to push the country to intensify state-sponsored cyberthreat activities in pursuit of its geopolitical and strategic objectives at a regional level,” the European digital security agency warned in a report Monday.
U.S. officials have also warned of Iran’s growing prowess in cyberspace.
This past November, the U.S. indicted two Iranian hackers for using the SamSam ransomware to extort millions of dollars from U.S. municipalities, hospitals and other public institutions.
And in march of last year, U.S. prosecutors charged nine Iranian hackers with penetrating the computer networks of hundreds of universities and institutions to steal research material.