An anonymous reader quotes a report from The New York Times:
Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems – a capability Iran was not previously known to possess, according to two digital security reports released Friday. The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports byCheck Point Software Technologies, a cybersecurity technology firm, andthe Miaan Group, a human rights organization that focuses on digital security in the Middle East.
The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said. […] According to the report by Check Point’s intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years. Miaan traced the first the operation to February 2018 from a malicious email targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces. It traced the malware used in that attack and further attacks in June 2020 to a private technology firm in Iran’s northeast city of Mashhad named Andromedaa. Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.
The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report. […] According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets. […] The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp. In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps’ installation files. These files, in turn, allow the attackers to make full use of the victims’ Telegram accounts. “Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary,” the report adds. “Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims’ names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims.”