Iranian Hackers Have Infiltrated US Infrastructure

Uploaded on 2017-12-28 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy, INTELLIGENCE-Hot Spots-Iran, NEWS-Cybersecurity News, TECHNOLOGY--Hackers

A new research published by the security firm FireEye says  Iran's hacking activity show no signs of slowing down. FireEye calls them Advanced Persistent Threat 34, and has spent the last few years burrowing deep into critical infrastructure companies.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.
FireEye researchers tracked 34 of the group's attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. 

The group appears to target financial, energy, telecommunications, and chemical companies, and FireEye says it has moderate confidence that its hackers are Iranians. 

They log into VPNs from Iranian IP addresses, adhere to normal Iranian business hours, their work has occasionally leaked Iranian addresses and phone numbers, and their efforts align with Iranian interests. Namely, targeting the country's adversaries.

New APT in Town
There isn't definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.

"We have seen, and this is with a lot of the Iranian actors, a very disconcerting or aggressive posture towards critical infrastructure organizations," says John Hultquist, director of intelligence analysis at FireEye. 

"APT 33 has targeted a lot of organisations in critical infrastructure in the Middle East and so has APT 34. They obviously represent opportunities for intelligence collection. But we always have to think about the alternative use of those intrusions or accesses as possible means for disruption and destruction, especially given the destructive incidents we’ve already seen with other Iranian actors."

To establish what Hultquist describes as beachheads, APT 34 uses involved operations to move deeper and deeper into a network, or exploit a toehold within one organisation to pivot into another. FireEye has observed the group compromising someone's email account at a target company, rifling through their archive, and restarting threads as old as a year, to trick the recipient into clicking a malicious attachment. The hackers also use compromised email accounts to spearphishing other companies, and leapfrog into their systems as well.

News Outlet
Another hacker group “Charming Kitten” used false identities to ferret out information, says Israel-based cybersecurity firm ClearSky. The espionage group known as Charming Kitten is believed to be behind a campaign targeting academic researchers, human rights activists, media outlets and political advisors focusing on Iran, according to a report published recently by Israel-based threat intelligence company ClearSky Cyber Security

The group has also set up a news outlet called The British News Agency to lure targets in. Most of the group's targets are in Iran, the US, Israel and the UK, the report said, but some come from countries including France, Germany, Switzerland, Denmark, India, Turkey and the United Arab Emirates.

The report detailed the various methods used to gain access to computers and private social accounts. Those include false identities, the impersonation of real companies, the insertion of malicious code into a breached website, also known as "watering hole attacks," and spear phishing, the process of pretending to be service providers like Gmail or Facebook to trick people into giving out personal information. 

Much effort went into creating a seemingly legitimate website for The British News Agency, including details about the agency and a contact list of the management team. The purpose of the site was to attract the targets and infect them with malware. 
The scope and systemic character of the attack reveal that it's not a private venture, said Head of Threat Intelligence at ClearSky Eyal Sela in an interview with Calcalist, and the threat intelligence community is quite sure Charming Kitten is only one of several such groups that are linked to the Iranian regime. 

The attack was not made for financial gain, said Mr. Sela: "not one person hacked suffered financial damage. The identity of the attacked, human rights activists and people with political ties, does not support the thesis that the campaign is connected to criminal groups." 

The real purpose of the attack is to ferret out information about Iranian dissenters, said ClearSky CEO Boaz Dolev in an interview with Calcalist. "They want to know who the researchers are talking to," he said, adding that the targets' contact lists serve as a list of traitors. "They want to know who in Iran is in contact with such people out of the country." 
According to the report, multiple Israeli researchers of Iran and the Middle East were sent emails and Twitter direct messages from accounts registered with seemingly Jewish Israeli names. Messages coming from one such account were presented as if coming from a journalist and political researcher at KNBC News. 

Other messages were presented as if coming from an Israeli political researcher raised in California who needed help with an article and also wanted to apply for a position at an Israeli university. Another message was described as coming from a Jewish girl living in Iran. These messages often linked to phishing pages. ClearSky cannot estimate how many accounts were successfully infiltrated, but the success rate for such attacks is usually around 10%, said Mr. Dolev. 

ClearSky reports also point out a connection between Charming Kitten and Behzad Mesri, also known as "Skote Vahshat," the Egyptian citizen indicted by the FBI for hacking into HBO and leaking episodes of several series, including Game of Thrones. According to the FBI, Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team at certain times.

According to ClearSky, Mr. Mesri follows entities connected to Charming Kitten on Twitter, and was in the Turk Black Hat group at the same time as a hacker called ArYaIeIrA, who now also appears in multiple domains owned by Charming Kitten. The report's authors estimate "with medium certainty" the Mr. Mesri is directly connected to Charming Kitten, and potentially is part of Charming Kitten. D.C.-based Security researcher Collin Anderson previously hypothesized. 

The Iranian attackers are active hackers recruited by the Iranian authorities, and not officially people recruited at a young age and then trained for the job said, Mr. Sela.

That's why they leave a public residue, like signatures in the websites they hack. Many of the group's members are Facebook friends with Mr. Mesri, said Mr. Sela: "these are not people that approve every friend request. They have maybe 200 friends. They only confirm people they know."

Calcalistech:       Wired

You Might Also Read:

Iran Responsible  For Cyber Attack On British Parliament:

The Growing Cyber Threat From Iran:

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:


 

« Popular Streaming Sites Secretly Mine Cryptocurrency
Intelligent & Autonomous Security Robots »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Certification Europe

Certification Europe

Certification Europe (now Amtivo Ireland) is an accredited certification body which provides ISO management system certification, including ISO 27001.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

Assured Information Security (AIS)

Assured Information Security (AIS)

AIS is committed to providing our customers with critical information security products, services, and training. We support diverse needs throughout business and industry.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

HumanFirewall

HumanFirewall

Your secuirty is dorectly proportional to the awareness of your employees. Use Phishing simulation across your organization to train & profile user behavior.

Elpha Secure

Elpha Secure

Elpha Secure provides a comprehensive cybersecurity solution, combining technology and insurance to protect against cyber threats.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

ShardSecure

ShardSecure

ShardSecure Microshard technology eliminates data sensitivity, providing security, privacy and compliance beyond encryption.

VeriClouds

VeriClouds

VeriClouds is a password verification service that helps organizations detect compromised passwords and stop account takeover attacks.

Interos

Interos

Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through a breakthrough AI SaaS platform.

Armexa

Armexa

Armexa is a leading provider of advanced industrial cybersecurity solutions that protect your critical OT and ICS infrastructure against ever-changing threats.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.

SalvageData Recovery Services

SalvageData Recovery Services

Since 2003, SalvageData has been providing high-quality data recovery with the certifications needed to work with any storage media manufacturer.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.