Iran government, at least since 2016, is is spying on its citizens, Kurdish and Turkish natives, and ISIS supporters, using mobile applications with a malware. The operation hase been dubbed Domestic Kitten
Iran government is spying on its citizens using mobile applications, at least since 2016, with Operation Domestic Kitten. It hase been discovered by Check Point cyber security experts. Recent investigations reveal an extensive and targeted attack that has been taking place since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards their targets. “Through the use of mobile applications”, the company blog reported, “those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens”.
Check Point cyber security experts: The malware collects data including contact lists stored on the mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more
The malware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more. Op Domestic Kitten moreover targets specific groups. Starting from the Iranian ones. “While the exact identity of the actor behind the attack remains unconfirmed,” Check Point cyber security researchers continued, “current observations of those targeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian origin. In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups”.
Surveillance programs like Domestic Kitten are used against individuals and groups that could pose a threat to stability of the Iranian regime
“These surveillance programs are used against individuals and groups that could pose a threat to stability of the Iranian regime.” the investigation revealed. “These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran. While our investigation is still in progress, the research reveals the full extent of these targeted attacks, its infrastructure and victims and the possible political story behind it. In the meantime, we have dubbed this operation ‘Domestic Kitten’ in line with the naming of other Iranian APT attacks”.
Fake tailored apps as a lure to download malware
Victims are first lured into downloading applications which is believed to be of interest to them. The App included an ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the messaging app, Vidogram. Regarding the ISIS-themed application, its main functionality is setting wallpapers of ISIS pictures, and therefore seems to be targeting the terror organization’s advocates. Curiously, its Arabic name is grammatically incorrect (“دولةخلافةالاسلامیة”, which should instead be “دولةالخلافةالاسلامیة”). With regards to the ANF, while the agency is a legitimate Kurdish news website its app has been fabricated by the cyber attackers to pose as the legitimate one in order to deceive their targets. Due to the names and content offered by those applications, Check Point specialists “believe that specific political groups and users, mainly ISIS supporters and the Kurdish ethnic group, are targeted by the operation”.