FireEye cyber security experts: Iranian APT39 is using off-the-shelf tools for a cyber espionage campaign, aimed to steal personal info especially in Middle East. The group targets TLC sector, travel industry, IT firms and the high-tech industry
The Iranian state-sponsored hackers of APT39 are using a broad range of custom and off-the-shelf tools for a cyber espionage campaign, aimed at steal personal information. It has been discovered by FireEye cyber security experts. According to the company, the group “likely focuses on personal information to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns”. The malicious hackers primarily leverage the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East, but there have been cyber atttacks also against U.S. and South Korea. The group has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
The goal of the Iranian state-sponsored hackers is to monitor, track, or survey specific individuals, collect proprietary or customer data, or facilitate future campaigns. APT39 is distint from APT34, but they could work together
According to FireEye, APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms. The cyber security experts believe that APT39 and APT34 (another Iranian threat group) share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps. They are distincts, but could work together or share resources at some level.