A newly identified threat group linked to Iran is surveilling specific individuals of interest by stealing data primarily from companies in the telecommunications and travel industries, a report from FireEye published Tuesday.
FireEye is adding the group to its list of advanced persistent threats as APT39. While not outright saying the group is state-sponsored, researchers said that APT39 appears to be be acting in support of Iranian state interests. That assessment is based on the group’s toolset overlap with other Iran-linked groups like APT33, APT34, Newscaster and Chafer.
Still, FireEye says APT39’s apparent objective and its choices of malware variants warrant classifying it as a new group.
“APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals that serve strategic requirements related to Iran’s strategic national priorities,” Cristiana Kittner, FireEye principal analyst of cyber-espionage analysis, told CyberScoop by email.
It’s not clear who those individuals are, but FireEye says at least some targets are tied to other governments, which “suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making,” the report says.
APT39’s activities have a global reach, but the group is more focused the Middle East, FireEye says. The report says the group has been observed targeting entities in Saudi Arabia, Iraq, Egypt Turkey, the United Arab Emirates, Qatar, South Korea and the United States — and is suspected to have targets in in Kuwait and Israel.
FireEye suggests that by targeting travel and telecommunications companies, APT39 can look for data pertaining to customers that are persons of interest to Iran.
“Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms,” Kittner said. “APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale.”
FireEye says APT39 uses a combination of custom-made and publicly available hacking tools to compromise its targets. It typically starts with a spearphishing campaign, the report says, using malicious files and links to “domains that masquerade as legitimate web services and organizations that are relevant to the intended target.” Successful phishing results in a backdoor infection, after which the group uses common and custom tools to escalate privileges on the compromised computer and conduct reconnaissance.
Kittner said the group has been active as recently the past six months, although there’s been a “regular pace of activity from APT39 since 2014.”
“APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,” the report says.
UPDATE — Jan. 20, 2019, 1:20 p.m. E.S.T. — This story initially reported that FireEye observed APT39 targeting Norway and Australia, based on a map in the company’s report. FireEye says the map was mislabeled and has been updated, and that those countries have not been targeted at this time.