The infrastructure used by an Iranian cyberespionage group to control infected computers around the world has been hijacked by security researchers.
Researchers from Palo Alto Networks came across the group’s activities earlier this year, but found evidence that it has been operating since at least 2007. Its main tool is a custom malware program dubbed Infy, which was repeatedly improved over the years.
The researchers have worked with domain registrars to seize the domains used by the attackers to control Infy-infected computers and to direct victims’ traffic to a sinkhole server — a server the researchers controlled.
Control of the server was then transferred to the Shadowserver Foundation, an industry group that tracks botnets and works with ISPs and other parties to notify victims.
Sinkholing the command-and-control (C2) infrastructure took away the hackers’ ability to steal data from victims, something they unsuccessfully tried to correct when they realized something is amiss.