Cybersecurity firm FireEye says it has identified an Iranian hacking group targeting telecommunications companies worldwide.
Last month, FireEye publicly disclosed the group under the name APT39. According to the company, APT39’s primary objective appears to be collecting personal information.
FireEye notes that APT39 differs from other Iranian-linked threat groups it tracks, which have been associated with influence operations, disruptive attacks, and other types of campaigns. APT39’s focus on personal data suggests objectives like surveillance, monitoring, and creating access for future operations.
“APT39 likely focuses on personal information to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities, or potentially to create additional accesses and vectors to facilitate future campaigns.”
The group is known to deploy backdoors identified as CACHEMONEY and SEAWEED, and it also uses a variant of the POWBAT backdoor.
While APT39 concentrates on targets across the Middle East, FireEye has linked its activity to countries in other regions as well, including the United States.
FireEye has produced a map showing countries tied to APT39 activity.
Given the group’s emphasis on acquiring personal information and conducting espionage, it is unsurprising that telecommunications companies are its primary targets. FireEye also reports that the high-tech and travel sectors have been affected.
FireEye states it has “moderate confidence” that APT39 operates to advance Iranian state interests.
In a related development, the U.S. intelligence community released its latest Worldwide Threat Assessment the same day. The assessment warns that Iran continues to pose a cyber espionage and attack threat to the United States and its allies.
“Iran uses increasingly sophisticated cyber techniques to conduct espionage; it is also attempting to deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries,” the report cautions.
Tensions between Iran and the United States remain high following the U.S. withdrawal from the Iran nuclear agreement and the reinstatement of sanctions. With diplomatic relations strained, Iranian cyber threats are unlikely to diminish in the near term.
Last week, FireEye and other observers noted an Iran-linked hacking campaign that took advantage of the U.S. government’s record-long shutdown to launch attacks.
Interested in hearing industry leaders discuss topics like these and learn from their experiences? Consider attending the Cyber Security & Cloud Expo World Series, which holds events in Silicon Valley, London, and Amsterdam, to stay informed about developments and best practices in cybersecurity.