Quick Takeaways
-
Resurgence of Prince of Persia: After a prolonged silence, Iran’s oldest advanced persistent threat group, “Prince of Persia,” is reportedly still operational and has been active in espionage primarily against Iranian citizens and international targets.
-
Unique Operational Security: The group employs advanced operational security techniques, including using Telegram APIs without a hardcoded key and RSA signature verification for its command and control infrastructure, enhancing stealth and resilience.
-
Historical Context: Despite being overshadowed by more notorious groups like OilRig and MuddyWater, Prince of Persia has adapted and improved its methods, showing remarkable persistence over nearly two decades of activity.
-
State Support: Following a significant setback in 2016 due to cybersecurity interventions, the Iranian government intervened to restore the group’s activities, highlighting the intricate relationship between state actors and cyber operations in Iran.
Revived Threat: Prince of Persia’s Espionage
For the first time in over three years, researchers reveal crucial information about Iran’s oldest state-sponsored hacking group, known as “Prince of Persia” or “Infy.” This group, active since at least 2004, has remained mostly quiet while other Iranian actors like OilRig and MuddyWater stole the spotlight. However, a recent report confirms that despite its silence, Prince of Persia continued its operations. It has been spying on Iranian citizens and individuals in various countries, including Iraq, Turkey, and Canada. The group utilizes upgraded versions of its malware, indicating that it has not become obsolete.
The longevity of this cyberthreat surprises cybersecurity experts. A report states that Prince of Persia has operated for nearly 20 years with the same tools. This persistence showcases advanced operational security and innovative communication methods. Indeed, it appears to have stayed under the radar while continuing its espionage activities.
Innovative Infrastructure: Stealthy Operations
Prince of Persia employs two main tools called “Foudre” and “Tonnerre,” French for lightning and thunder. Foudre gathers initial data from targets and can self-destruct if deemed unnecessary. Interestingly, it operates discreetly, using a Microsoft Excel file to evade antivirus detection. Tonnerre, on the other hand, enables deeper espionage while maintaining user privacy.
Notably, these tools demonstrate remarkable security practices, particularly regarding command-and-control (C2) communications. Instead of embedding identifiable keys, which could be exposed, Tonnerre extracts keys only for specific victims. This technique minimizes traces that researchers might exploit. Moreover, Foudre employs cutting-edge RSA signature verification to ensure secure communication with its C2 servers.
The Iran government also plays a role in sustaining this threat actor. After earlier attempts by cybersecurity firms to neutralize its operations, state support has significantly bolstered Prince of Persia’s capabilities. By redirecting internet traffic away from sinkholes set up by researchers, the Iranian government has facilitated the group’s continued activities. Thus, this sophisticated and resilient malware remains an impactful threat in cyber espionage today.
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Stay inspired by the vast knowledge available on Wikipedia.
CyberRisk-V1
