A previously undetected Iranian cyber espionage group with potential links to the country’s government has been stealing travel information and mobile data of individuals in the Middle East, a new report says.



According to cybersecurity research firm FireEye, the Iranian group — dubbed APT39 — has targeted a wide range of people but especially in the Gulf.

FireEye analysts had been following the group’s activities since 2014, said FireEye’s senior manager for cyber espionage analysis, Benjamin Read.

Read said it was unclear in what capacity the group was working, and how it supported the Iranian government, but that the group was not collecting data that could be easily monetized. Instead, it has been collecting individuals’ call data and information about travel routes rather than credit card numbers or billing information.

“There are criminal groups operating out of Iran, but this kind of information is going to be more useful to a government,” he said. “We believe they’re acting in support of the Iranian government.”

Read declined to say which countries or individuals were specifically targeted.

The group’s operating times were consistent with the Iranian workday, he added, and it had used Persian language words in encrypting data. The group operates by using “spear-phishing” emails that target specific people and include malicious attachments or links that entice the recipient to click, the report says.

The report comes after the EU’s digital security body stated Iran is likely to ramp up its cyber espionage efforts, particularly in the region. Iran has in the past rejected charges that the country engages in cyber espionage, saying Iranian cyber capabilities are for defense only.