The Federal Bureau of Investigation (FBI) recently released a FLASH warning highlighting malicious cyber activity conducted by threat actors operating on behalf of Iran’s Ministry of Intelligence and Security. According to the FBI, these threat actors are using Telegram as a command-and-control infrastructure to push malware “targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world.” The FLASH was released “to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise” in light of the “elevated geopolitical climate of the Middle East and current conflict.”
The FLASH is designed to warn network defenders, and the public, of continued malicious cyber activity by Iranian-backed cyber actors, and provides the tactics, techniques, and procedures used in this malware campaign.
The FBI notes that the threat actors use Signal to deploy various malware versions to infect machines running Windows operating systems and “could be used to target any individual of interest to Iran.”
According to the FLASH, the threat actors used social engineering to masquerade as commonly used programs or services on Windows machines. After compromise, they then “connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices.” The threat actors include Handala Hack, which claimed responsibility for the Stryker attack. Handala Hack is also linked to another entity known as “Homeland Justice.”
Iranian-backed hackers continue to pose a threat to all companies because they leverage legitimate messaging apps like Telegram (through no fault of its own) to deliver payloads. If you or your company uses Telegram, or another messaging app, it is imperative to understand how these legitimate tools are used maliciously by threat actors. Follow the FBI’s guidelines and educate your users to this increased risk.