More than 1,400 users have downloaded spyware programs that, while ostensibly delivering news, allow hackers to acquire sensitive information on Kurdish ethnic groups found in Iran, Iraq, and Northern Syria.
On Tuesday, security vendor ESET disclosed the espionage campaign. As per its report, the campaign involves tricking Android smartphone owners into downloading applications that record phone calls, extract files, take photos, and gather other information from unwary victims. These applications are in fact two known Android backdoors, 888RAT and SpyNote, disguised as legitimate apps.
Users downloaded the program from third-party websites rather than the Google Play Store or the iOS market. Data from such a website indicates that the applications had around 1,481 downloads.
This marks the latest attack on Kurds, indigenous people who have repeatedly found themselves embroiled in Middle Eastern conflicts. Since 2014, Kurdish fighters have actively fought against the Islamic State. They have allied with US forces while also fighting the Turkish government.
How the snooping happens?
Earlier in February, the security firm CheckPoint claimed that suspected Iranian hackers were using smartphone malware to snoop on Kurdish targets.
The ESET investigation found that the operation was ongoing since March 2020. The hackers advertised fraudulent links through Facebook pages, pushing Kurdish supporters to download the apps. Researchers discovered six Facebook profiles that vocally advertised URLs. After ESET reported those profiles, Facebook took them down.
In some cases, hackers used larger Facebook groups to share the links. This includes a page dedicated to supporting the former president of the Kurdistan region, which had over 11,000 followers.
Who is behind this attack?
Investigators blamed the attack on a group known as BladeHawk. QiAnXin Threat Intelligence Center, a unit of a China-based technology company initially named the group.
Further, in December 2020, QiAnXin revealed a series of “continuous attacks” that it said were aimed at some Turkish groups, Kurdish targets, and suspected members of terrorist groups. QiAnXin said the BladeHawk group originated in “a certain country in the Middle East,” though few other details were available.