APT39 – Iranian Espionage Array Focusing on Personal Information

This post is also available in: עברית (Hebrew)

Another Iranian cyber attack group is exposed as posing an immediate threat to Israel. The group, called APT39, is responsible for stealing a vast amount of personal data.
FireEye has been following the group’s activity since November 2014 with the purpose of defending organizations from it. APT39’s focus on a wide collection of personal information distinguished it from other Iranian groups which have been associated with other destructive cyber activity and threats. APT39 is most likely focused on the collection of personal data in order to support surveillance operations and monitoring that serve Iran’s national interest. In addition, the group’s activity allows for further access and opportunities for future cyber operations.
Some of the group’s activities partly intersect with public reports on a group called “Chafer”, despite the fact that there are differences that stem from different sources and methods of research. APT39 is using SEAWEED CACHEMONEY and a specific version of the POWBAT tool. While the group’s attack targets are scattered worldwide, its main activity focuses on the middle east region. The groups attacks targets in the communications sector, hi-tech and tourism, including IT companies that support these.
Operational Objective
APT39 focus on communications and tourism industries points to its intention of supporting espionage and surveillance operations after specific individuals and to collect internal information. This might include customers personal information, which might serve operational targets serving strategic goals on the national level. A further goal is getting wide access for creating an infrastructure for future cyber activity.
Attacking governmental targets points on a secondary intention to collect geopolitical intelligence which might assist governments and support decision making processes. From what has been said it is possible to conclude that the supreme goal of the group is to monitor and track specific persons while collecting personal data’ including flight detail and communication data.
Iranian Roots
We estimate approximately that APT39’s cyber operations were meant to support Iranian national interests, judging from an analysis of the attack targets and their focus on the middle east, the operational infrastructure used by the group, activity time, and the similarity it has to another Iranian group called APT34, parts of which are publicly known as “OilRigh”. There are lines of similarity between APT39 and APT34, including their methods for distributing assault instruments, the use of the POWBAT tool, the style of choosing names in operational infrastructure and an overlap in the targets themselves – but we are still distinguishing between the two groups, mainly based on APT39’s use of a very specific version of the POWBAT. It is possible that the two groups are cooperating and even sharing some developmental resources.
The Stages of Attack
APT39 is using self-developed tools alongside public ones along the stages of attack.
FIrst Infiltration – in the initial stage of attack spear phishing mails are used with malicious attachments or links that glue the computer to the POWBAT. The group then writes domains that pretend to be legitimate internet services and third party organizations relevant to the target’s content-world. The group also tends to identify and exploit vulnerable web servers of targets in order to install web shells on them such as CACHEMONEY, SEAWEED and also a specific version of the POWBAT tool to ground its web hold. For the sake of uploading permissions the group uses public tools such as Ncrack and Mimikatz, and also legitimate managing tools such as Windows Credential Editor and ProcDump. Internal web scanning is also performed on the base of objective scripts and also public or self developed tools such as the BLUETORCH scanner.
Web Spread, Maintaining Grip and Task Completion – spreading beyond network parts in an organization is done by a variety of tools such as RemCom, PsExec, Secure Shell (SSH), Remote Desktop Protocol (RDP) and xCmdSvc. Also, some use is made of self developed tools such as PINKTRIP, REDTRIP, and BLUETRIP to create SOCKS5 proxies between the infected edges. APT39 uses a RDP protocol for maintaining its network hold over computers. In the stage of task completion the group usually does not compress the collected information using WInrar or Zip-7 prior to leaking it outside the network.
There are technological findings pointing to the fact that APT39 tends to keep a high operational strength in order to avoid security. To do this, it uses a designated version of Mimikatz in order to bypass antivirus mechanisms. In a different case, after acquiring initial accessa process of credential harvesting was performed outside the target network in order to avoid alerts in an organization’s security systems.
In conclusion, we believe that APT39’s focus on the communication and tourism industries is meant to track down specific persons and support future operations. Communication companies are an attractive target due to the fact that they reserve much personal information on their clients, and because the open the door for the communication infrastructure and thereby to a wide array of potential additional targets.
The group’s pattern of choosing targets shows that the threat is not limited to the attacked organizations themselves, but also and mainly to their clientele, including people from all over the world and from a variety of sectors and industries.
APT39’s activity exemplifies the operational capacity of the Iranian government and its defense agencies, and shows how it uses the cyberspace as an effective tool with a relatively low cost for the sake of collecting intelligence on persons that pose a threat on the Ayatollahs’ national security, as well working towards regional and global supremacy with respect to their opponents.

Ryan Whelan, Director at FireEye