Infy

๐Ÿ”ด High
Also known as: Operation Mermaid, Prince of Persia, Foudre, Infy

Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name โ€œInfyโ€, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the groupโ€™s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.

๐ŸŒ Country Iran
๐Ÿ“… Activity 2016 โ€” 2016
โšก Risk Level High
๐ŸŽฏ Incident Type Espionage
Activists Civil society Government Private sector
2016
2016

Targeted Victims

Israel Iran France China Sweden United States United Kingdom Germany Syria Italy Denmark Canada Russia Saudi Arabia Bahrain

Introduction

Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name โ€œInfyโ€, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the groupโ€™s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.

Activities and Tactics

Targeted Sectors: Activists, Civil society, Government, Private sector

Country of Origin: ๐Ÿ‡ฎ๐Ÿ‡ท Iran

Risk Level: High

First Seen: 2016

Last Activity: 2016

Incident Type: Espionage

Suspected Victims: Israel, Iran, France, China, Sweden, United States, United Kingdom, Germany, Syria, Italyโ€ฆ

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • Backdoor.Oldrea
  • Agent.btz

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

References pending cataloguing.