Driven by the authoritarian's desire for regime survival, Iran's Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence (MOIS) have long conducted extensive domestic surveillance and espionage operations against its domestic populace and foreign targets of strategic intelligence value. In this paper, I analyse and dissect UNC788's most recent domestic surveillance operation with a malicious Android application dubbed PINEFLOWER. Our analysis confirmed that the actors exfiltrated recorded phone calls, room audio recordings, pictures, and entire SMS inboxes along with relevant metadata from devices which appeared to belong to individuals residing in Iran. At least one device belonged to an individual who appears to be engaged in social activism in Iran. This activity confirms longstanding suspicions that UNC788 conducts domestically focused operations as part of their ostensible mandate to conduct cyber espionage and credential harvesting operations in support of Iranian strategic priorities.

The results presented in this paper are based on threat intelligence, collection and reversing of threat actor tools, and analysis of their malicious infrastructure. This paper will focus on my experience and analytical process uncovering this operation by stepping through the initial discovery of the malicious infrastructure, discussing the various tools and scripts implemented to pivot to additional actor resources and to facilitate victim data analysis, and by exploring the evidence underpinning our attribution assessment.

Got a question about this presentation? To get in touch with the speaker, contact Emiel on Twitter at @EHaeghebaert.