Iranian Hackers Linked To Malware

For more than 5 years, Iran has maintained a reputation as one of the most aggressive nations in the global arena of state-sponsored hacking, stealing data from corporate and government networks around the world.

They have been bombarding US banks with cyberattacks, and most brazen of all, unleashing multiple waves of computer-crippling malware that hit tens of thousands of PCs across the Middle East.

But amidst that noisy mayhem, one Iranian group has managed to quietly penetrate a broad series of targets around the world, until now evading the public eye. And while that group seems to have stuck to traditional spying so far, it may also be laying the groundwork for the next round of destructive attacks.

Security firm FireEye has released new research into a group it calls Advanced Persistent Threat 33, attributing a prolific series of breaches of companies in the aerospace, defense, and petrochemical industries in countries as wide-ranging as Saudi Arabia, South Korea, and the US.

While FireEye has closely tracked APT33 since May of last year, the security firm believes the group has been active since at least 2013, with firm evidence that it works on behalf of Iran's government.

And though FireEye describes APT33's activities as largely focused on stealthy spying, they've also found links between it and a mysterious piece of data-destroying malware that security analysts have puzzled over since earlier this year.

"This could be an opportunity for us to recognise an actor while they’re still focused on classic espionage, before their mission becomes more aggressive," says John Hultquist, FireEye's director of intelligence analysis.

He compares APT33 to Sandworm, a hacking operation FireEye discovered in 2014 and tied to Russia, which began with spying intrusions against NATO and Ukrainian targets before escalating to data-wiping attacks in 2015 and finally two sabotage attacks against the Ukrainian power grid. "We've seen them deploy destructive tools they haven’t used. We're looking at a team whose mission could change to disruption and destruction overnight."

FireEye says it's encountered signs of APT33 in six of its own clients' networks, but suspects far broader intrusions. For now, it says the group's attacks have focused on Iran's regional interests. Even the targets in the US and Korea, for instance, have comprised companies with Middle East ties, though FireEye declines to name any specific targets.

"They’re hitting companies headquartered all over the world," Hultquist says. "But they’re being swept up into this activity because they do business in the Gulf."

Seeds of Destruction

Beyond run-of-the-mill economic espionage, FireEye has found infections of victim networks with a specific piece of dropper malware, a piece of software designed to deliver one or multiple other malware payloads, that the security firm calls DropShot.

That dropper had in some cases installed another malware weapon, which FireEye calls ShapeShift, designed to wipe target computers by overwriting every portion of a computer's hard drive with zeros.

While FireEye did not find that destructive malware in networks where it had identified APT33 hackers, it did find the same dropper used in APT33's intrusions to install a piece of backdoor software it called TurnedUp. It has also never seen the DropShot dropper used by another distinct hacker group, or distributed publicly.

The notion that Iranian hackers may be prepping another round of destructive attacks would hardly represent a break from form. In 2012, Iran-linked hackers calling themselves "Cutting Sword of Justice" used a piece of similar "wiper" malware known as Shamoon to overwrite the hard drives of 30,000 computers at Saudi oil behemoth Saudi Aramco with the image of a burning US flag.

The same year, a group calling itself the Izz ad-Din al-Qassam Cyber Fighters took credit for an unrelenting series of distributed denial of service attacks on US banking sites known as Operation Ababil, purportedly in revenge for the anti-Muslim YouTube video "the Innocence of Muslims".

Those attacks, too, were eventually pinned on Iran. And last year another round of Shamoon attacks ripped through the Middle East, destroying thousands more machines, this time overwriting the drives with the image of the body of a 3-year-old Syrian refugee who drowned in the Mediterranean.

Security firm Kaspersky first spotted ShapeShift in March of this year, calling it StoneDrill. Kaspersky noted that it resembles Shamoon, but with more techniques designed to evade security mechanisms, like the "sandbox" protections that limit a given application's access to the rest of a target computer.

Kaspersky wrote at the time that one of the two targets in which it found StoneDrill malware was European, whereas Shamoon's attacks had been confined to the Middle East. "Why is this worrying?" asked Kaspersky founder Eugene Kaspersky in a blog post about the discovery.

"Because this finding indicates that certain malicious actors armed with devastating cyber-tools are testing the water in regions in which previously actors of this type were rarely interested."

Critical infrastructure security firm Dragos has also tracked APT33, says the company's founder Robert M. Lee, and found that the group has focused the majority of its attention on the petrochemical industry. Dragos' findings back up FireEye's warning that the group seems to be sowing infections for destructive attacks.

"This is economic espionage with the added ability to be destructive, but we have no reason to think they’ve gone destructive yet," says Lee. He notes that despite the industrial focus of the hackers, they haven't tailored their malware to industrial control systems, only mainstream computer operating systems. "That didn't stop Iranian hackers from doing massive damage to Saudi Aramco."1

FireEye's evidence tying APT33 to Iran goes further than mere similarities between ShapeShift and Iran's earlier destructive malware, Shamoon. It also found plentiful traces of the Iranian national language Farsi in ShapeShift, as well as in the DropShot dropper used to install it.

Analysing the active hours of the hacker group, they found they were heavily concentrated during Tehran business hours, almost entirely ceasing during the Iranian weekend of Thursday and Friday.

The group's other hacking tools are ones commonly used by Iranian hackers, FireEye says. And one hacker whose pseudonym, "xman_1365_x", was included in the TurnedUp backdoor tool is linked to the Iranian Nasr Institute, a suspected Iranian government hacking organization.

APT33's attacks have in many cases begun with spearphishing emails that bait targets with job offers; FireEye describes the general polish and details of those messages down to the fine print of their "Equal Opportunity" statements.

But the company also notes that the group at one point accidentally fired off its emails without changing the default settings of its phishing software tool, complete with the subject line "your site hacked by me”, a rare one-off, sloppy mistake for a prolific state hacking group.

Ready to Blow

Even as Iran's hackers have caused mayhem for its neighbors, the country hasn't been tied to any high-profile hacker attacks against the US since 2012, perhaps in part due to the Obama administration's 2015 agreement with Tehran to end its nuclear development program.
 
But America's brief rapprochement with Iran may be closing again: President Trump recently spoke at the UN General Assembly, accusing Iran's government of pursuing "death and destruction," and calling the Obama deal with Tehran "an embarrassment."

Though APT33 seems focused for the moment on regional espionage, it's also carrying out "reconnaissance for attack," says FireEye's Hultquist. "With a sudden geopolitical shift, that behavior could change."

If it does, the group may already have its malware bombs planted around the world, ready to detonate.

Wired:

You Might Also Read: 

Iran Cyber Attacks on Saudi Arabia:

Iran’s Cyber Attacks Are Getting Much More  Sophisticated:

 

« China Wants To Use AI To Predict Civil Disorder
Facebook To Give Congress Thousands Of Election Ads Bought By Russians »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

Sepior

Sepior

Our vision is to make Sepior the leading provider of cloud-encryption software in the world.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Protectimus

Protectimus

Affordable two factor authentication (2FA) provider. Protect your data from theft with multi factor authentication service from Protectimus.

RATEL (SRB-CERT)

RATEL (SRB-CERT)

RATEL has been appointed as the National Center for the Prevention of Security Risks in ICT systems of the Republic of Serbia (SRB-CERT).

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

Netpoleon Group

Netpoleon Group

Netpoleon is a leading provider of integrated security, networking solutions and value added services.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

iVision

iVision

iVision is a technology integration and management firm that engineers success for clients through objective recommendations, process and technology expertise and best-of-breed guidance.

Purple Team

Purple Team

Purple Team is an expert cybersecurity and managed security service provider focused on arming your IT infrastructure with both red team and blue team services.

VLC Solutions

VLC Solutions

VLC Solutions is an independent solutions and technology service provider offering Cloud Services, Cybersecurity, ERP Services, Network Management Services, and Compliance Solutions.

Readynez

Readynez

Readynez is the digital skills concierge service that helps you ensure your workforce has the tech skills and resources needed to stay ahead of the digital curve.

Boltonshield

Boltonshield

Boltonshield provide a unique and proactive approach to cyber defence with managed security services, integrated technologies, and a team of security experts, ethical hackers and analysts.

Google Safety Engineering Center (GSEC)

Google Safety Engineering Center (GSEC)

GSEC Málaga is an international cybersecurity hub where Google experts work to understand the cyber threat landscape and to create tools that keep users around the world safer online.

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.