The reports shine a light on the Iranian government’s use of myriad hacking groups to conduct extensive espionage against dissidents and other perceived threats to its regime. The hackers used the attacks to spy on targets’ phone calls, messages, location, photos and other sensitive data.
“To me, this shows the amount of complexity, the amount of resources the Iranian regime is putting into this campaign,” says Yaniv Balmas, head of cyber research at Check Point. “And it’s a complete invasion of the privacy of citizens.”
The two hacking groups, referred to as Domestic Kitten and Infy by Check Point researchers, used different methods for the same result: espionage. Check Point has shared the victims’ information with U.S. and European law enforcement.
The campaigns fit squarely into Iran’s cyber playbook, other researchers say.
Hackers working on behalf of the Iranian government deploy attacks against a wide range of targets at a constant rhythm, says Adam Meyers, senior vice president of intelligence at CrowdStrike, another firm following actors tied to Iran. In recent years, Iranian hackers have increasingly turned their attentions to the West, he says.
Researchers have tied more than a dozen separate hacking groups to the Iranian government over the past 15 years. Iran has routinely denied any involvement in the attacks. Iran’s Foreign Ministry did not return a request for comment for this story.
In addition to Iranian citizens, hackers have also increasingly gone after Western journalists, academics and researchers involved with Iran, and U.S. government employees. The attacks tend to escalate around political flash points.; Iranian hackers actively targeted the Trump campaign ahead of the 2020 election.
“This [new] report is also in line with our observation about the activity of Iranian state-backed hackers who were very active during the U.S. elections in November 2020,” said Amin Sabeti, founder at Certfa Lab, a research group that has tracked hacking campaigns from other groups linked to the Iranian government.
The most recent Domestic Kitten campaigns began in November around the U.S. election, Check Point reported. The Domestic Kitten campaign used fake versions of real apps to lure victims into installing malware that allowed hackers to spy on them. Since it launched in 2018, the group has targeted more than 1,2000 victims — successfully infecting more than 600.
“The technology in this campaign — it’s not really high tech,” Balmas says. “But what it does teach us — and maybe that’s the scary part about this — is you don’t need to be that sophisticated to be successful. And I think that should be a concern for everyone.”
The other group, Infy, sent emails with fake documents that, once opened, activated a spy tool on the victims’ computers, Check Point and researchers at another firm, SafeBreach, found. Infy has been active since 2007, making it one of Iran’s oldest known hacking groups.
According to researchers, Infy hackers took much more care to go undetected than Domestic Kitten. The group focused on a smaller pool of victims predominantly located in Turkey, Sweden and the Netherlands.
Since 2018, researchers at human rights group Miaan have uncovered hundreds of Iranian victims of cyberattacks targeting their personal information. The victims the group has helped probably represent only a fraction of hackers’ targets.
“The problem with the malware is it’s almost impossible for you to find out if your computer or phone is infected,” says Amir Rashidi, director of digital rights and security at Miaan. “And recovering any data from the infected device is virtually impossible without expert help.”