APT39: An Iranian Cyber Espionage Group Focused on Personal Information
(Jan 29, 2019)
Researchers from FireEye disclosed that they have identified a new Iranian Advanced Persistent Threat (APT) group, “APT39,” that has been observed stealing personal data from victims. Their targeted victims are based in several Middle Eastern countries, Spain, and the US, with specific focus upon Middle Eastern targets. This APT group focuses on victimising telecommunications and travel industries to monitor, track, and perform surveillance operations on specific individuals as well as aim to collect customer and commercial information for operational uses, and establish additional access vectors for future campaigns. APT39 utilises spear phishing emails with malicious attachments or links that result in “POWBAT” malware infection. They leverage backdoors such as “SEAWEED,” “CACHEMONEY,” and a variant of “POWBAT” to establish a presence in a network to obtain persistence and privilege escalation in the future.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.