APT39 Cyber Espionage Group Targets Personal Information

FireEye researchers identified a new Iranian cyber espionage advanced persistent threat (APT) group, dubbed APT39, deploying backdoors to gain access to and steal individual’s personal information. In these attacks, the targeted network is initially compromised via spear-phishing emails with malicious attachments or links. Then, APT39 establishes a foothold, escalates privileges, and conducts reconnaissance on the network. The group then moves laterally and maintains persistence using remote desktop protocol (RDP) and archives stolen data using a compression tool. APT39 has targeted organizations across the world, including those in the United States, with a focus on the telecommunications and travel industries. Other targeted industries include: technology, government, business services, transportation, and media and entertainment. The NJCCIC recommends those that may be considered high-value targets for APT activity review the FireEye report for technical details, including tactics, techniques, and procedures (TTPs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.