Presentation information

UNC788: Iran’s decade of credential harvesting and surveillance operations

Emiel Haeghebaert (FireEye)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
Driven by the authoritarian's desire for regime survival, Iran's Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence (MOIS) have long conducted extensive domestic surveillance and espionage operations against its domestic populace and foreign targets of strategic intelligence value. In this paper, I analyse and dissect UNC788's most recent domestic surveillance operation with a malicious Android application dubbed PINEFLOWER. Our analysis confirmed that the actors exfiltrated recorded phone calls, room audio recordings, pictures, and entire SMS inboxes along with relevant metadata from devices which appeared to belong to individuals residing in Iran. At least one device belonged to an individual who appears to be engaged in social activism in Iran. This activity confirms longstanding suspicions that UNC788 conducts domestically focused operations as part of their ostensible mandate to conduct cyber espionage and credential harvesting operations in support of Iranian strategic priorities.

The results presented in this paper are based on threat intelligence, collection and reversing of threat actor tools, and analysis of their malicious infrastructure. This paper will focus on my experience and analytical process uncovering this operation by stepping through the initial discovery of the malicious infrastructure, discussing the various tools and scripts implemented to pivot to additional actor resources and to facilitate victim data analysis, and by exploring the evidence underpinning our attribution assessment.
Emiel Haeghebaert
FireEye Emiel Haeghebaert is an associate analyst with Mandiant Threat Intelligence's Cyber Espionage Analysis Team. Since joining FireEye in 2019, Emiel has produced extensive intelligence reporting on cyber threat activity emanating from the Middle East region and focuses his research on Iran. Originally from Belgium, he holds a Master of Arts degree in security studies from Georgetown University and a BA in international affairs from Vesalius College, Brussels. Emiel will matriculate at the Georgia Institute of Technology to pursue a Master of Science degree in cybersecurity in the fall of 2021. Before coming to FireEye, he served in a variety of policy and academic research roles, including at Georgetown University and the Carnegie Endowment for International Peace.
arrow left Back

UNC788: Iran’s decade of credential harvesting and surveillance operations

Emiel Haeghebaert (FireEye)
Driven by the authoritarian's desire for regime survival, Iran's Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence (MOIS) have long conducted extensive domestic surveillance and espionage operations against its domestic populace and foreign targets of strategic intelligence value. In this paper, I analyse and dissect UNC788's most recent domestic surveillance operation with a malicious Android application dubbed PINEFLOWER. Our analysis confirmed that the actors exfiltrated recorded phone calls, room audio recordings, pictures, and entire SMS inboxes along with relevant metadata from devices which appeared to belong to individuals residing in Iran. At least one device belonged to an individual who appears to be engaged in social activism in Iran. This activity confirms longstanding suspicions that UNC788 conducts domestically focused operations as part of their ostensible mandate to conduct cyber espionage and credential harvesting operations in support of Iranian strategic priorities.

The results presented in this paper are based on threat intelligence, collection and reversing of threat actor tools, and analysis of their malicious infrastructure. This paper will focus on my experience and analytical process uncovering this operation by stepping through the initial discovery of the malicious infrastructure, discussing the various tools and scripts implemented to pivot to additional actor resources and to facilitate victim data analysis, and by exploring the evidence underpinning our attribution assessment.
Emiel Haeghebaert
FireEye Emiel Haeghebaert is an associate analyst with Mandiant Threat Intelligence's Cyber Espionage Analysis Team. Since joining FireEye in 2019, Emiel has produced extensive intelligence reporting on cyber threat activity emanating from the Middle East region and focuses his research on Iran. Originally from Belgium, he holds a Master of Arts degree in security studies from Georgetown University and a BA in international affairs from Vesalius College, Brussels. Emiel will matriculate at the Georgia Institute of Technology to pursue a Master of Science degree in cybersecurity in the fall of 2021. Before coming to FireEye, he served in a variety of policy and academic research roles, including at Georgetown University and the Carnegie Endowment for International Peace.