Group was active and remained secret for at least nine years

May 5, 2016 10:11 GMT  ·  By
Iranian hackers deploy Infy malware to spy on political and economic targets
   Iranian hackers deploy Infy malware to spy on political and economic targets

Palo Alto Networks, a US-based cyber-security firm, has blown the lid on a cyber-espionage campaign linked to an Iranian hacking group that focused on government and other high-value targets across the world, for the past nine years.

Researchers say the group has been using malware with spying capabilities which include the ability to log keystrokes, steal documents from infected computers, collect passwords, and browser cookies files.

All this data is uploaded to online C&C (command and control) servers. Palo Alto says that these servers are located in Iran.

Group created its own malware called Infy

Researchers say they've discovered different versions of the same malware, named Infy, going back to 2007, but the same C&C servers were linked to malicious activity going back to 2004. It is not clear if this malicious activity had anything to do with any cyber-espionage campaigns.

Despite the long life of this cyber-espionage group, researchers say that many security firms had a hard time of connecting all the different Infy malware versions with each other due to its limited scope and use cases.

The group used Infy against a limited set of targets, usually one attack at a time, against government targets or employees of certain companies, but also against Iranian citizens.

Three suspicious emails gave the group away

In fact, Palo Alto detected the Iranian APT's activity after discovering three emails in May 2015 that contained file attachments infected with the Infy malware.

The attacker managed to compromise a Gmail account used by Israeli officials and used it to send emails with malicious Word and PowerPoint files to an Israeli industrial organization. Additionally, similar malicious emails were sent to a US government official.

The researchers started their investigation from these initial attacks, and slowly but surely uncovered the group activity going back to the past decade, but also as recently as April 2016.

"Attack campaigns that have very limited scope often remain hidden for years," Palo Alto's Tomer Bar and Simon Conant explained why the group's activities remained unknown. "If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together."