Iranian Espionage Group Exposed for Monitoring Kurdish Officials

A recently released report indicates that the Iranian espionage group known as BladedFeline has been operating undetected for over six years, specifically targeting Kurdish and Iraqi officials. Initial detection occurred in 2023 when this group executed a sophisticated hacking operation that involved backdooring systems crucial to the Kurdistan Regional Government.

Cybersecurity firm Eset reported that their telemetry data confirms BladedFeline’s operations dating back to at least 2017. The group has since expanded its capabilities to incorporate not only backdoors but also reverse tunnels and tools for data exfiltration, enabling the transfer of stolen information to their command and control servers.

Iran’s approach toward Kurdish entities is complex, characterized by occasional support and underlying intimidation tactics aimed at its own Kurdish population. The Washington D.C.-based Kurdish Peace Institute indicated that espionage efforts can serve as gateways for future physical and cyber assaults against opponents, particularly in light of Iran’s aggressive maneuvers within the Kurdistan Region of Iraq.

According to the Washington Kurdish Institute, Iran views Iraqi Kurdistan as a potential threat, likely exacerbated by the region’s autonomy and the presence of U.S. military forces. This geopolitical landscape informs the urgency and focus of ongoing cyberespionage activities.

In a notable operation conducted in 2024, BladedFeline deployed a backdoor identified as “Whisper.” Once infiltrating a target device, Whisper accessed compromised Microsoft Exchange webmail accounts. This facilitated communication through email attachments, impacting Kurdish and high-ranking Iraqi officials, as well as a telecommunications provider in Uzbekistan.

The firm also observed activity involving “PrimeCache,” a module associated with internet information services that displayed code similarities with the RDAT backdoor, previously used by another Iranian-linked group known as OilRig. This indicates a trend of Iranian APT groups sharing resources and tools.

Eset assesses, with moderate confidence, that BladedFeline is a subgroup of OilRig, which is historically tied to using various backdoors and cloud-based modules to infiltrate government and healthcare organizations primarily based in Israel.