with Aaron Schaffer

Cybersecurity researchers uncovered the identities of more than 1,000 victims of two hacking groups tied to the Iranian government. The victims include high-profile academics, activists and business leaders, and government officials in the United States and Europe, researchers at Israeli cybersecurity firm Check Point say in a pair of reports out today.

The hackers used the attacks to spy on targets' phone calls, messages, location, photos and other sensitive data. 

The reports shine a new light on the Iranian government's use of myriad hacking groups to conduct extensive espionage against dissidents and other perceived threats to its regime.

“To me this shows the amount of complexity, the amount of resources the Iranian regime is putting into this campaign,” says Yaniv Balmas, head of cyber research at Check Point. “And it's a complete invasion of the privacy of citizens.” 

The two groups, referred to as  Domestic Kitten and Infy by Check Point researchers, used different methods for the same end result: espionage. Check Point has shared the victims' information with U.S. and European law enforcement. 

The campaigns fit squarely into Iran's cyber playbook, other researchers say. 

Hackers working on behalf of the Iranian government deploy attacks against a wide range of targets at a a constant rhythm, says Adam Meyers, senior vice president of intelligence at CrowdStrike, another firm following actors tied to Iran. In recent years, hackers have increasingly turned their attentions to the West, he says.

Researchers have tied more than a dozen separate hacking groups to the Iranian government over the last 15 years. Iran has routinely denied any involvement in the attacks. Iran's Foreign Ministry did not return a request for comment for this story.

In addition to Iranian citizens, hackers have also increasingly gone after Western journalists, academics and researchers involved with Iran, and U.S. government employees. The attacks tend to escalate around political flash points. Iranian hackers actively targeted the Trump campaign ahead of the 2020 election.

“This [new] report is also in line with our observation about the activity of Iranian state-backed hackers who were very active during the U.S. elections in November 2020,” said Amin Sabeti, founder at Certfa Lab, a research group that has tracked hacking campaigns from other groups linked to the Iranian government.

The most recent Domestic Kitten campaigns began in November around the U.S. election, Check Point reported.

The Domestic Kitten campaign used fake versions of real apps to lure victims into installing malware that allowed hackers to spy on them. Since it first launched in 2018, the group has targeted more than 1,2000 victims — successfully infecting more than 600.

“The technology in this campaign — it's not really high tech,” Balmas says. “But what it does teach us — and maybe that's the scary part about this — is you don't need to be that sophisticated to be successful. And I think that should be a concern for everyone.”

The other group, Infy, sent emails with fake documents that, once opened, activated a spy tool on the victims' computers, Check Point and researchers at another firm SafeBreach found. Infy has been active since 2007, making it one of Iran’s oldest known hacking groups.

According to researchers, Infy hackers took much more care to go undetected than Domestic Kitten. The group focused on a smaller pool of victims predominantly located in Turkey, Sweden and the Netherlands.

Since 2018, researchers at human rights group Miaan have uncovered hundreds of Iranian victims of cyberattacks after their personal information. The victims the group has helped probably represent only a fraction of hackers' targets.

“The problem with the malware is it’s almost impossible for you to find out if your computer or phone is infected,” says Amir Rashidi, director of digital rights and security at Miaan. “And recovering any data from the infected device is virtually impossible without expert help.”

The keys

American hackers working for the UAE intercepted Michelle Obama’s emails.

An American hacker hired by the U.S. ally stumbled upon the emails after being told to target Qatar, its main rival in the region, the New York Times’s Nicole Perlroth reports

The previously unreported hack happened in late 2015, as Obama put the finishing touches on a trip to the Middle East. At the time, David Evenden, a former National Security Agency analyst working for the UAE through contractor CyberPoint, came across emails between Obama, her staff and Qatari officials.

“That was the moment I said, ‘We shouldn’t be doing this,’ Evenden said. “We should not be targeting these people.” Evenden left the company, and he and other colleagues alerted the FBI. Interviews suggest that an FBI review of the company is ongoing, Perlroth reports.

Mercenary hackers hired by the UAE have said that they targeted Americans. Some ex-National Security Agency analysts have said that they were hired to hack for the government. Several former White House officials also helped the UAE build its cyber capabilities.

Widely used encryption standards could be hacked, company says.

The company maintains that it found weaknesses in widely used standard encryption. It says quantum computers will be able to decipher within years encryption used to protect services such as banking and email data. The company says it is developing a standard that will be unbreakable by quantum computers.

Researchers are skeptical about the findings by Switzerland’s Terra Quantum AG, which have not been published or peer reviewed, Bloomberg News’s Ryan Gallagher reports.

“If true, this would be a huge result,” said Brent Waters, a computer science professor at the University of Texas at Austin. “It seems somewhat unlikely on the face of it. However, it is pretty hard for experts to weigh in on something without it being published.”

Top British officials detail cyber campaign against Islamic State for first time.

Intelligence leaders detailed in a recent Sky News interview how British forces tampered with Islamic State communication channels and used “cyber techniques to affect how” drones used by the group operated.

The interview comes months after the United Kingdom launched its National Cyber Force, an offensive cyber organization staffed by spies and military officials.

Government scan

Securing the ballot

A push to allow wireless hardware into voting machines raises risk of hacking, activists say.

The Election Assistance Commission recently modified draft standards to remove language banning wireless hardware from voting machines for them to be certified, the AP’s Frank Bajak reports. Though an official stressed that new guidelines say that machines’ wireless capabilities must be disabled, some opponents say that the mere presence of the hardware goes against best cybersecurity practices. 

The vote will take place this Wednesday.

Global cyberspace

Daybook

  • The Election Assistance Commission votes on new voting security guidelines on Wednesday at 10 a.m.
  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, speaks at a meeting of the National Security Telecommunications Advisory Committee on Wednesday at 1 p.m.
  • Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, and Sue Gordon, a top former intelligence official, testify at a House Homeland Security Committee hearing on cybersecurity on Wednesday at 2 p.m.

Chat room

Perlroth’s story, which is adapted from her upcoming book, prompted a discussion on Twitter. Matt Tait, who used to work for the U.K.’s GCHQ:

CrowdStrike co-founder Dmitri Alperovitch also weighed in:

Secure log off

Check out the other best ads from last night here.

In an ad, people drinking Bud Light Seltzer Lemonade reflect on all the “lemons” 2020 threw our way. (Anheuser-Busch)