“My name is Hussein Jaffari, I was a prisoner of the regime from 1364 to 1365 [equivalent in the Persian calendar of the years 1985 and 1986, Editor's note]”.

But Hussein Jaffari never existed, and the message was intended to trick victims, likely opponents of the ruling power in Tehran, to click on an attachment containing surveillance software. 

This is one of the subterfuges used by a hitherto unknown group of cyber-spies to trap Iranian internet users.

The activities of these hackers date back to at least 2015.

They were revealed by the computer security company Kaspersky in a report published on Wednesday June 16 and that France 24 was able to consult.

A very versatile snitch

In six years spent spying in the greatest discretion, this group - dubbed “Ferocious Kitten” by Kaspersky - has used a plethora of techniques to install its spyware on the computers or smartphones of its targets. He sent “trick” images of anti-power protests which, once opened, allowed the virus to be installed in the background. "Ferocious Kitten" also created copies of several sites popular with Iranians, such as Aparat - the Iranian YouTube - which, again, allowed the cookie to be discreetly installed on the target's computer. Finally, these cyber-spies circulated modified versions, and containing the virus, of popular software to bypass Iranian Internet censorship.

So many efforts are made to install a malicious program called MarkiRAT on computers that gives attackers wide access to the victim's personal data. It is a “remote control tool homemade by this group that we had not yet met”, notes Paul Rascagnères, one of the Kaspersky researchers to have worked on the analysis of this cyberthreat, contacted by France 24.

Once installed on the computer, this cookie automatically searches for Office documents (Word, PowerPoint, Outlook etc.), images or even password files. It can also record everything the user types on their keyboard and can pass themselves off as Telegram, the famous encrypted messaging system known to be useful for escaping electronic surveillance. Ferocious Kitten has also developed a version of its malware for Android smartphones, which is much more popular in Iran than iPhones.

They are far from the only ones spying on Iranian internet users who are potentially hostile to the regime in place.

Other groups, such as “Prince of Persia”, “Domestic Kitten” or “Charming Kitten”, have also put part of the population on wiretaps.

“Ferocious Kitten also shares some of the modus operandi of other groups,” assures Paul Rascagnères.

Creating fake versions of some popular sites in Iran to entrap victims or pretend to be a former political prisoner are techniques that are not unique to “Ferocious Kitten”.

Discretion as the watchword

But it remains, to this day, the group having managed to remain discreet the longest. Most of the other actors suspected of acting on behalf of the Iranian government have been discovered by cybersecurity firms for several years. Some of them, like “Prince of Persia” even had to go out of business for several years after drawing too much attention to them. They had, in particular, started to extend their espionage activities in the United States or in Israel.

“Ferocious Kitten” has remained much more modest, and that is perhaps what explains its success. “Certain elements indicate that they have a more targeted approach to their surveillance activities”, estimates Paul Rascagnères. This group thus has only a small number of command and control servers, suggesting that it is not going to try to wiretap thousands of people around the world, as was the case with “Prince of Persia ”.

They have also programmed their cookie in such a way “that it only activates after checking that the keyboard is configured in Persian”, notes the Kaspersky researcher. There again, “Ferocious Kitten” seems to want to remain 100% focused on Iranian targets or dissidence, “in order to make as little noise as possible”, estimates Paul Rascagnères. Other groups like “Charming Kitten” not only targeted political opponents, but also attempted to spy on members of ex-President Donald Trump's entourage and break into the servers of American pharmaceutical companies. An international ambition that drew the attention of the American authorities to the “Charming Kitten”, who recognized four of their alleged members guilty of computer hacking in 2019.

The discovery of Kaspersky thus demonstrates that the effort of electronic surveillance of Iranian Internet users is more important than what one could believe until now with groups of cyberespionage pursuing this single end.

The summary of the week

France 24 invites you to come back to the news that marked the week

I subscribe

Take international news everywhere with you!

Download the France 24 application

google-play-badge_FR