June 29, 2016
US security firm Palo Alto Networks has managed to sinkhole the C&C server infrastructure of a threat group activating from Iran’s border that had focused on high-value targets all over the globe.
The company first came across the group’s activities at the start of May, when it published a report on its operations, revealing malicious attacks going back to 2007, using a custom piece of spyware named Infy.
The researchers have now revealed that, with the help of the hosting companies where the Iranian APT had kept its C&C servers and domains, they were able to take over control of the cyber-espionage group’s entire infrastructure.
They couldn’t hijack the entire network at once, so some C&C servers remained unaffected by their initial sinkhole. As soon as the threat group lost access to some of its servers, they started pushing out a new version of their malware with their new network’s C&C server IP addresses.