The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country’s Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.
According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group APT39 (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran’s national security objectives.
To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U.S. companies from doing business with Rana and its employees.
“Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran’s Ministry of Intelligence and Security (MOIS) has employed a years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, the government networks of Iran’s neighboring countries, and foreign organizations in the travel, academic, and telecommunications sectors,” the FBI said.
Rana is also believed to have targeted Iranian private sector companies and academic institutions, including Persian language and cultural centers inside and outside the country.
APT39’s Long History of Espionage Activities
APT39 has a history of hacking into targets spanning over 30 countries in the Middle East, North Africa, and Central Asia, and at least 15 U.S. companies in the travel sector have been compromised by Rana’s malware, using the unauthorized access to track the movements of individuals whom MOIS considered a threat.
Earlier this May, Bitdefender uncovered two cyberattacks directed against critical infrastructures in Kuwait and Saudi Arabia, compromising its victims via spear-phishing emails containing malicious attachments and using various intrusion tools to gain an initial foothold and collect sensitive data from infected systems.
Aside from formally connecting the activities of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion and reconnaissance activities, which comprises of:
- Microsoft Office documents laced with Visual Basic Script (VBS) malware sent via social engineering techniques
- Malicious AutoIt malware scripts embedded in Microsoft Office documents or malicious links
- Two different versions of BITS malware to aggregate and exfiltrate victim data to an actor-controlled infrastructure
- A screenshot and keylogger utility that masqueraded as legitimate Mozilla Firefox browser
- A Python-based downloader to fetch additional malicious files to the victim machine from a command-and-control (C2) server
- An Android implant (“optimizer.apk”) with information-stealing and remote access capabilities
- “Depot.dat” malware for collecting screenshots and capturing keystrokes and transmitting the information to a remote server under their control
A Series of Charges Against Iranian Hackers
The sanctions against APT39 is the latest in a string of actions undertaken by the U.S. government over the last few days against Iran, which also encompasses charges against three hackers for engaging in a coordinated campaign of identity theft and hacking on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) to steal critical information related to U.S. aerospace and satellite technology companies.
Last but not least, the Cybersecurity Security and Infrastructure Security Agency (CISA) warned of an Iran-based malicious cyber actor targeting several U.S. federal agencies by exploiting unpatched VPN vulnerabilities to amass sensitive data and even sell access to the compromised network infrastructure in an online hacker forum.
“This week’s unsealing of indictments and other disruptive actions serves as another reminder of the breadth and depth of Iranian malicious cyber activities targeting not only the United States, but countries all over the world,” John C. Demers, Assistant Attorney General for National Security, said in a statement.
“Whether directing such hacking activities, or by offering a safe haven for Iranian criminal hackers, Iran is complicit in the targeting of innocent victims worldwide and is deepening its status as a rogue state.”