The Resurgent Cyber Threat From Iran

Uploaded on 2018-03-26 in INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

Experts are sounding the alarm about new cyber activity from Iran, as hackers become more emboldened and skilled at carrying out surveillance operations and other attacks outside the country’s borders.

In recent years, Iran-linked hacker groups have showed signs of growing sophistication, expanding their cyber tool kits and stepping up operations against new international targets, including in the Middle East and the United States. 

Iran’s growing ambitions, coupled with the geopolitical climate, have given some warning of the future threat. “They’re good enough that they’re able to break into a lot of organizations,” said Charles Carmakal, vice president at Mandiant, a FireEye subsidiary that provides cyber incident response to government and private organizations across the globe.

“There’s definitely a lot of fear by the intelligence agencies and lots of security companies about what Iran is going to do." 

Cybersecurity professionals have detected Iranian hackers breaking into networks of defense contractors, aviation firms, oil and gas companies, technology companies and telecommunications providers.

In February, cybersecurity firm Symantec revealed that the Iran-based hacking group dubbed “Chafer” had expanded spy operations to new targets across numerous sectors in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey, and successfully compromised a major telecommunications provider in the Middle East.

The group also began using several new hacking tools over the past year, including leveraging the “EternalBlue” exploit reportedly stolen from the National Security Agency by another hacker group.

While Symantec has no definitive evidence linking Chafer to the Iranian government, Vikram Thakur, the firm’s security response technical director, said the group’s targets, which include companies in the aviation sector, suggest a government motivation because the information would be more valuable in the public versus private sector.

“What we’ve noticed of the overall picture that the quantity of attacks that are originating from that geography are much, much higher than seven or eight years ago,” Thakur said. “In the coming years, we’d expect Chafer as well as other cyber actors originating from Iran to continue increasing their volumes of attack as well as their list of victims.”

In many cases, Iran-linked cyber activity is limited to intelligence operations. But some groups have also shown signs of destructive capabilities. Last September, FireEye identified a new Iranian hacking group that’s been dubbed “Advanced Persistent Threat 33,” or APT 33, that had been quietly conducting spying operations since at least 2013 against organizations in the US, Saudi Arabia and South Korea. The group has a particular eye toward the military, commercial aviation and energy sectors.

FireEye found evidence that APT 33 is capable of carrying out destructive attacks, linking it to a destructive “wiper” malware that can delete files.

Iran has a long history of malicious activity in cyberspace. US officials suspected Iran in the 2012 cyber assault against Saudi Arabian oil giant Saudi Aramco, in which hackers used destructive malware called “Shamoon” to wipe computer networks of data and replace the files with an image of a burning US flag. 

A new variant of the malware resurfaced in late 2016, infiltrating other Saudi Arabian computer systems. FireEye traced the 2016 activity back to Iran, though did not attribute it to a specific threat group. 

The US Justice Department earlier that year indicted seven Iranians believed to have been working at the behest of Tehran’s government for conducting distributed denial of service attacks on US financial institutions between 2011 and 2013, as tensions ran high over sanctions on Iran’s nuclear program.

Much of the attention in Washington has lately focused on the cyber threat from Russia, following Moscow’s interference in the 2016 presidential election.

Iran is still widely viewed by officials and cybersecurity professionals as inferior to China and Russia in terms of its capabilities. Still, experts say Iran’s hackers have notably grown more professional in a matter of years. Iran-linked hacking groups have increased the scale of their attacks and gotten better at hiding their tracks, in part by using virtual private networks to carry out operations so they cannot be traced back to Iran.

“They got better over the years,” said Carmakal. “When I think about the real impact to our safety and the impact to our business operations, I’m actually more concerned about Iran.” 

FireEye tracks other hacking groups it links to the Iranian government, including APT 34, which the firm says has conducted reconnaissance operations largely targeting critical infrastructure organizations in the Middle East since at least 2014. FireEye has attributed some of Chafer’s activity to APT 34.

The firm has also identified Iranian hacking group APT 35, which Ben Read, senior manager of cyber espionage analysis, described as “one of the most active groups” in 2017 of all nation-state actors tracked by FireEye. 

“They’ve shown a consistent interest in US companies,” said Read.
US officials have warned of mounting threats from Iran and other nation-states in the cyber realm.  

“We will see Chinese, Iranian and North Korean cyber actors continue to build off past successes to improve the scope and scale of their cyber capabilities,” Director of National Intelligence Dan Coats told the US Senate Armed Services Committee.

Lt. Gen. Robert Ashley, director of the Defense Intelligence Agency, also warned lawmakers that Iran and North Korea “can launch disruptive cyber-attacks and use cyberspace as a means to asymmetrically respond to perceived challenges in political, military, or economic domains” despite being less capable than other threat actors. 

Some speculate Iran could increase malign cyber activity against the United States if tensions run high between Washington and Tehran.

A report released by Carnegie Endowment for International Peace in January observed that destructive Iranian cyber operations against the US had decreased since the early negotiations of the Iran nuclear deal. They noted, however, that the US should expect Tehran to target economic, civilian, and government networks in the event of “renewed hostilities.”
President Trump has threatened to withdraw from the Iran nuclear deal, though he declined to topple the 2015 agreement in January by waiving key sanctions on Tehran. 

Meanwhile, the Trump administration imposed new sanctions on Iran related to its ballistic missile activity and crackdown on dissidents, for which Iran promised to retaliate. 

“I think they are a significant threat to organisations in the US, particularly those in the national security area,” Read said.

“What is really going to change how much of a threat they are is the overall geopolitical situation.”

The Hill:

You Might Also Read: 

Iran Adopts Russian Style CyberWar Tactics:

Iran’s Cyberwar Could Infiltrate Your Mailbox:

 


 

 

« Russia Can Disconnect From The Internet
UK Police Helping Business Fight Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Bob's Business

Bob's Business

Bob's Business adopts a fresh approach to information security awareness and compliance training, delivering key information through the use of short animated movies.

RKH Specialty

RKH Specialty

RKH Specialty, part of the Hyperion Insurance Group, is a provider of specialty insurance services including Cyber Risk cover.

Qufaro

Qufaro

Qufaro is a new initiative designed to make it simpler for those with career ambitions in cyber security to access the UK’s cyber-specific education and innovation opportunities.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

Real Random

Real Random

Real Random is on a mission to enhance existing and new crypto-systems with its revolutionary solution to generating numbers that are Truly Random.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

CyberSheath Services International

CyberSheath Services International

CyberSheath integrates your compliance and threat mitigation efforts and eliminates redundant security practices that don’t improve and in fact might probably weaken your security posture.

ClearHub

ClearHub

The aim of ClearHub is simple: to give businesses like yours access to the best talent, all screened and technically tested by Clearvision’s expert team.

Prime Technology Services

Prime Technology Services

Prime Tech are a group of Red Hat, Microsoft & Cisco Certified IT Professionals with an impressive track record of consistently delivering value to our corporate clients.

Utimaco

Utimaco

UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.

CyberloQ Technologies

CyberloQ Technologies

CyberloQ Secure is a cybersecurity solution that enables clients to implement highly robust Multi-Factor Authentication (MFA) that includes client-defined location-based geofencing constraints.

DataPatrol

DataPatrol

DataPatrol is a software company, specialized in providing Security and Privacy of company’s data and information in an evolved way.