Spiraling Attacks: Iranian Hacking Campaign
Since early 2018, Miaan researchers have been tracking malware used in a series of cyberattacks on Iranian dissidents and activists. The research has uncovered hundreds of victims of malware and phishing attacks that stole data, passwords, personal information, and more.
The research was initiated by a report published in February 2018 by the Centre for Human Rights in Iran (CHRI) describing how this malware targeted the web-administrator of Majoban Noor, the news website for Iran’s Nematollahi Gonabadi Sufi order.
Over two years later in June 2020, it became apparent that the malware and phishing related attacks were linked to a private group based in the city of Mashhad called Andromedaa. Andromedaa had been using the same command-and-control server as the attackers and had registered several website domains used for phishing and malware distribution. Some of Andromedaa’s activities were independently identified by Talos Intelligence and the Center of Iranian National Computer Emergency Response Team (MAHER-ماهر).
Miaan researchers noticed a pattern that the attacks were repeatedly targeting political activists, journalists, human rights defenders, lawyers, student activists, and others. The majority of targets were from Iran’s ethnic and religious minority communities, including Turks, Sufi Muslims, and Sunni Arabs. The targeting of specific groups along with other suspicious aspects of the hacking efforts point to a state-sponsored program. However, as reported by MAHER, Andromedaa also developed broad phishing and malware tools that targeted the general public of Iranian internet users.