Security News > 2020 > September > Hackers Collecting Intelligence on Potential Opponents to Iranian Regime
These targets, together with WHOIS records suggesting that associated malicious websites had been registered by Iranian individuals, and the discovery of one registrant's email address linked to Iranian hacking forums, is enough for the Check Point researchers to conclude that Rampant Kitten is an Iranian group, which itself implies a link to the Iranian government.
The attack vectors used in the campaign, which has largely remained under the radar for six years, include four variants of Windows infostealers; an Android backdoor used to steal 2FA codes from SMS messages and take voice recordings; and Telegram phishing pages distributed using fake Telegram service accounts.
Surprisingly, this phishing attack seems to have been known to Iranian Telegram users - several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them.
Lotem Finkelsteen, Manager of Threat Intelligence at Check Point, commented, "After conducting our research, several things stood out. First, there is a striking focus on instant messaging surveillance. Although Telegram is un-decryptable, it is clearly hijackable. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of. Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges."
It seems almost certain that this is another example of Iranian threat actors - quite possibly with some affiliation to the Iranian regime - collecting intelligence on potential opponents to the regime.