Accessibility links

Breaking News

Iran's Cyber Spies Looking to Get Personal


Stuart Davis, a director at one of FireEye's subsidiaries, stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, Sept. 20, 2017, in Dubai, United Arab Emirates.

Iran appears to be broadening its presence in cyberspace, stealing information that would allow its cyber spies to monitor and track key political and business officials, including some in the United States.

A new, U.S. intelligence report released Tuesday warned Iranian cyber actors "are targeting U.S. Government officials, government organizations, and companies to gain intelligence and position themselves for future cyber operations."

The latest Worldwide Threat Assessment also said Tehran has been preparing to use such information for a range of possible cyber attacks against the U.S. and its allies, though it did not share specifics.

Fears about Iran's growing prowess in cyberspace are not new, but the new assessment from the U.S. intelligence community echoes concerns voiced by private cybersecurity firms, which have pointed out a growing number of attacks by Iranian-linked actors targeting databases that contain personal information.

"They are targeting a number of telecommunication and information technology entities and really going after just large amounts of PII [personally identifiable information]," said Cristiana Kittner, a senior analyst with FireEye.

"Once in the network, they're looking at phone logs and employee records and airline records," she said.

In one attack, Iranian hackers went after visa and passport information, searching through keystroke logs to try to get at the information.

"Our assessment is that the PII is being stolen both for general surveillance as well as for specific targets, including high profile people and potentially political individuals and those who have significant roles in strategic affairs related to the country."

The main culprit, according to FireEye, is a group known as Advanced Persistent Threat 39, or APT 39. Active since 2014, FireEye maintains the group has been working "in support of Iranian national interests," showing an ability to hits targets across the Middle East and beyond.

"APT 39's focus on the widespread theft of personal information sets it apart from other Iranian groups," FireEye said in a report released Tuesday.

FILE - A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, on July 29, 2017.
FILE - A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, on July 29, 2017.

Most of the companies that have been targeted by APT 39 are in the Middle East -- Saudi Arabia, Iraq, Egypt, Turkey and the United Arab Emirates. The group's pursuit of telecommunications and travel industry data have led it further afield.

FireEye said companies in Norway, South Korea, Australia and the United States may also have been affected, warning that the group's activity "showcases Iran's potential global operational reach."

Much of APT 39's activity aligns with that of the Iranian-based cyber group known as Chafer, which was identified by the cybersecurity Symantec in 2015, and which has also focused on the telecommunications, travel and IT industries.

"Chafer has become notably more ambitious," Symantec told VOA in a statement. "Over the past two years, the group moved their attacks up the supply chain in the industries they typically target, and these supply chain attacks may allow Chafer to reach a broader set of victims in each industry they target."

Other experts and analysts worry advances by APT 39 and Chafer show that Tehran, already a formidable actor in cyberspace, has further refined its cyber espionage doctrine and will soon find more ways to use cyber spying to gain an advantage, economically and politically.

"Iran's leveraging these capabilities in order to identify suppliers…where they're shipping certain things to," said David Kennedy, the chief executive officer at the IT security consulting firm TrustedSec. "They may have the ability to snag individuals or pick them up."

"The methods that they use are very effective for going against a lot of different companies," added Kennedy, who previously served with the U.S. National Security Agency and with the Marine Corps electronic warfare unit.

European officials, meanwhile, worry that this is just the start, and that Iranian cyber actors are only going to get more ambitious as the U.S. and Western powers increase pressure on Tehran in response to its missile tests and nuclear activity.

"Newly imposed sanctions on Iran are likely to push the country to intensify state-sponsored cyberthreat activities in pursuit of its geopolitical and strategic objectives at a regional level," the European digital security agency warned in a report Monday.

This past November, the U.S. indicted two Iranian hackers for using the SamSam ransomware to extort millions of dollars from U.S. municipalities, hospitals and other public institutions.

And in March of last year, U.S. prosecutors charged nine Iranian hackers with penetrating the computer networks of hundreds of universities and institutions to steal research material.

VOA's Masood Farivar contributed to this report