Iranian Hackers Target Global Airlines to Steal Sensitive Data

APT39, a hacker collective connected to Iran’s Ministry of Intelligence and Security (MOIS), was exposed as operating through the compromised internal systems of the Iranian company Amnban, Sharif Advanced Technologies, in a significant cybersecurity incident.

Launched in 2018 with credentials from Sharif University and Amir Kabir alumni, Amnban presented itself as a legitimate penetration testing and security consulting entity via its website at www.amnban.ir.

State-Sponsored Cyber Espionage

However, the leaked gigabytes of data expose a sophisticated state-sponsored campaign involving cyber network exploitation (CNE) and preparation for cyber network attacks (CNA), systematically harvesting sensitive personal identifiable information (PII) from millions of airline passengers worldwide.

This includes passport numbers, home addresses, contact details, and recent photographs, enabling surveillance, identity theft, and potential human rights violations by Iranian intelligence.

The breach underscores Amnban’s inability to secure its own infrastructure, ironically highlighting vulnerabilities in Iran’s cyber ecosystem.

Evidence from the stolen files ties the firm directly to APT39, also known as Chafer, which focuses on intelligence gathering rather than financial gain.

Amnban’s CEO, Behnam Amiri, has been previously flagged by intelligence agencies for APT39 connections, while the company employed Ali Kamali, an FBI-sanctioned hacker implicated in attacks on U.S. infrastructure since 2020.

According to the Report, frequent visits by MOIS operative Hamed Mashayekhi to Amnban’s offices further confirm the state ties.

Notably, longtime employee Arshia Akhavan (father’s name: Reza) has recently immigrated to the United States, raising questions about his entry despite overlapping activities with FBI and U.S. Treasury announcements on APT39; it remains unclear if Homeland Security will intervene.

Social Engineering Tactics

Under the guise of open-source intelligence (OSINT) training, Amnban conducted unauthorized reconnaissance on a wide array of targets, including airlines such as Royal Jordanian, Turkish Airlines, Wizz Air, Rwanda Airlines, Etihad, Emirates, Qatar Airways, Oman Air, Kenya Airways, Air Tanzania, Air Botswana, LOT Airlines, AZAL, FlyDubai, Air Arabia, Azimuth Airlines, Ukraine International Airlines, Uganda Airlines, and Zambia Airways.

Freight companies like FedEx, USPS, DHL, and Aramex were also probed, alongside Russian entities, illustrating a pattern that spans allies and adversaries of Iran.

Leaked videos and reconnaissance reports detail methodical mapping of attack vectors, including vulnerability assessments and operational blueprints stored in “Projects” and “R&D” folders structures indicative of intelligence-driven operations rather than legitimate security research.

These documents outline no client authorizations, suggesting high-level protection from Iranian authorities.

Beyond airlines, Amnban’s campaigns extended to cryptocurrency exchanges through advanced social engineering documented in files like “social engineering.docs.”

Operatives created fake LinkedIn profiles to profile and phish employees, such as Arthur in KuCoin’s API department, offering freelance incentives or bribes for network access.

When persuasion failed, they deployed tracking links to harvest IP addresses, device fingerprints, and geolocation data, as seen in interactions with CoinSwitch’s Anil Kumar and Binance agent Naliya, where psychological manipulation using incomprehensible language induced clicks on malicious payloads.

Profiles of targets like Minty Liu, a KuCoin VIP manager, included assessments of cooperation levels and bribery attempts, revealing a hybrid approach blending human intelligence (HUMINT) with technical exploitation.

Supporting these efforts is a shadow infrastructure of hundreds of virtual private servers (VPS) and fake email provisioning systems distributed globally, enabling persistent attack launches.

This network facilitates phishing, data exfiltration, and command-and-control (C2) operations, posing risks to international aviation security by potentially enabling system disruptions or targeted espionage.

The exposure calls for heightened vigilance among affected entities, with offers from the breach source to share company-specific files via official emails, underscoring the urgent need for forensic analysis and international countermeasures against such state-backed threats.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now