APT39

APT39, attributed to Iran, is a global threat actor with a concentration of activities in the Middle East. The group primarily targets the telecommunications sector, alongside the travel industry, IT firms supporting these sectors, and the high-tech industry. They employ spearphishing attacks with malicious attachments or hyperlinks, typically resulting in a POWBAT infection, for initial compromise. APT39 frequently registers and uses domains masquerading as legitimate web services and organizations relevant to their intended targets. Unlike other Iranian groups tracked by FireEye, APT39 focuses on widespread theft of personal information. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on APT39, 45 associated individuals, and one front company, designating APT39 pursuant to E.O. 13553 for being owned or controlled by the MOIS, previously designated on February 16, 2012 under Executive Orders 13224, 13553, and 13572. These orders target terrorists and those responsible for human rights abuses in Iran and Syria. Concurrently, the U.S. Federal Bureau of Investigation (FBI) released detailed information about APT39 in a public intelligence alert. This followed a long-term investigation conducted by the FBI Boston Division, which identified these individuals and their roles related to MOIS and APT39. APT39's activities demonstrate Iran's potential global operational reach and its use of cyber operations as a low-cost, effective tool to collect key data on perceived national security threats and gain advantages against regional and global rivals. APT39 has not only targeted international entities but also victimized Iranian private sector companies and academic institutions, including domestic and international Persian language and cultural centers. The group typically archives stolen data using compression tools like WinRAR or 7-Zip.