45 hackers associated with APT39, an Iranian hacker group, were sanctioned this week by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) for running a malware campaign targeting Iranian dissidents, journalists, and international companies in the travel sector.
According to security firm FireEye, APT39 has been active since at least November 2014, and the group's USP is the theft of personal information "to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns."
The state-backed hacker group's areas of operation are primarily the Middle East and the United States and it primarily targets organisations and individuals in the telecommunications and travel industries. The group is known to leverage SEAWEED and CACHEMONEY backdoors and variants of the POWBAT backdoor to steal data from targeted entities.
According to the US Department of Justice, APT39 is associated with Iran's Ministry of Intelligence and Security (MOIS) which has given the group the responsibility of targeting Iran’s own citizens, the government networks of Iran’s neighbouring countries, and U.S.-based travel services companies. The hacker group is also known by names such as Chafer, Remexi, Cadelspy, and ITG07 and uses a front company named Rana Intelligence Computing Company to perpetuate its activities.
On Thursday, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) imposed financial sanctions on no fewer than 45 members of APT39 who allegedly employed a years-long malware campaign to target Iranian dissidents, journalists, and international companies in the travel sector.
"The 45 designated individuals served in various capacities while employed at Rana, including as managers, programmers, and hacking experts. These individuals provided support for ongoing MOIS cyber intrusions targeting the networks of international businesses, institutions, air carriers, and other targets that the MOIS considered a threat," OFAC said in a press release.
It added that the list of entities targeted by APT39 included hundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America, including 15 U.S. companies primarily in the travel sector.
On behalf of MOIS, APT39 regularly targeted, monitored, and victimised Iranian dissidents, journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international nongovernmental organisations. The group also monitored and digitally targeted Iranian private sector companies and Iranian academic institutions, including domestic and international Persian language and cultural centres.
“Iran’s MOIS, through their front company Rana, recruited highly educated people and turned their cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime. We are proud to join our partners at the Department of Treasury in calling out these actions,” said FBI Director Christopher Wray.
“The sanctions announced today hold these 45 individuals accountable for stealing data not just from dozens of networks here in the United States, but from networks in Iran’s neighboring countries and around the world,” he added.
This Thursday, the FBI also released indicators of compromise attributed to APT39 and Iran's Ministry of Intelligence and Security that security professionals at organisations can refer to protect their organisations from targeted cyber attacks.
In the document, FBI detailed the use of malicious visual basic script (VBS) malware by APT39 to execute commands on victim machines via cmd.exe, the use of several malicious AutoIt malware scripts embedded in Microsoft Office documents, and the use of the BITS 1.0 malware that installed two executable files that worked together to aggregate victim data, encrypt it using the XOR key as a seed, and zip the data using the ZipPass key to password protect the files.
The sanctions against 45 hackers associated with APT39 was announced shortly after a US court indicted three Iranian hackers for stealing sensitive commercial data, intellectual property, and personal data from several US-based satellite companies on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC), a designated foreign terrorist organisation.
The three hackers, namely Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati, are citizens of Iran and carried out their hacking activities in support of the country's Islamic Revolutionary Guard Corps (IRGC). The hackers used spear-phishing tactics to lure employees of satellite companies into clicking on malicious links that installed malware into their devices.
"Using these methods, the defendants successfully compromised multiple victim networks, resulting in the theft of sensitive commercial information, intellectual property, and personal data from victim companies, including a satellite-tracking company and a satellite voice and data communication company," the Department of Justice said.