Security News > 2021 > June > Kaspersky Details Iranian Domestic Cyber-Surveillance Operation
Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.
The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload. The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran.
Ferocious Kitten stayed under the radar for at least six years until Kaspersky researchers flagged a pair of maliciously rigged Microsoft Word.docs that were uploaded to Google's VirusTotal malware scanning utility.
Specifically, Kaspersky said some of the TTPs used by Ferocious Kitten are reminiscent of an Iran-based actor called Domestic Kitten that targets Iranian citizens.
"The attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the malicious websites used subdomains impersonating popular services in Iran to appear legitimate," Kaspersky said, noting that a subset of the attacks even targeted the Psiphon open-source VPN tool that is used by Iranians to bypass internet censorship.
"The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users," Kaspersky said, noting that that decoy contents displayed by the malicious files often used political themes and involved images or videos of resistance bases or strikes against the Iranian regime, "Suggesting the attack is aimed at potential supporters of such movements within the country."