Deconstructing the DOJ Iranian Hacking IndictmentThe alleged attackers used fairly simple tools, techniques and procedures to compromise a new victim organization on an almost weekly basis for over five years.
On March 23, the United States Justice Department unsealed an indictment against nine attackers operating out of Iran, believed to be working on behalf of the Iranian government. The indictment outlined the tools and techniques used, who was targeted, what the attackers were after, and how successful they were in compromising their targets.
More importantly, we learned that the defendants are purported to have run an incredibly successful campaign over a five-year period using fairly simple techniques to gain access to a variety of primarily academic targets. The indictment does not discuss anything related to exploits, compromised computers, malware, or any other technical tools or techniques commonly associated with breaches. It appears that the attackers were able to accomplish all of their objectives using a combination of tailored spearphishing messages utilizing open source information from the Internet and automated password spraying. Their end goal appears to be to gain control of the user accounts of individuals in order to harvest intellectual property. Let's dig in.
According to the newly unsealed indictment, these attackers conducted "coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States based universities...176 universities located in 21 foreign countries...at the behest of the Government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC)." These attacks have been ongoing since approximately 2013.
The attackers also targeted a number of federal and state agencies, including the United Nations, the Federal Energy Regulatory Commission, and two state governments (Hawaii and Indiana), as well as private organizations ranging across almost a dozen different business verticals, from biotechnology to stock image sales. According to the indictment the attackers were able to compromise five agencies, 47 private sector companies, and two nongovernmental organizations (NGOs).
According to the indictment, the group attacked not one but two private organizations that deal in online automobile sales and a company that specializes in food and beverages — companies that likely never considered that they'd be the target of attackers working for the Iranian military. The reality is that nation-state-sponsored attackers are not just looking for state secrets but also intellectual property (IP) or personally identifiable information. As such, all organizations need to take appropriate precautions to protect themselves and follow best practices — such as strong password policies and multifactor authentication — for security.
According to the indictment, the hackers used tools, techniques, and procedures (TTPs) commonly associated with advanced persistent threat actors to compromise the accounts of university professors. They started with reconnaissance of their targets using open source information from the Internet, focusing on academic interests and publications. They then followed up with tailored spearphishing emails from external email addresses, or from other compromised victims' email in-boxes. The objective of these spearphishing messages was to use social engineering to trick the professors into entering their credentials (in this case, username and password) into an attacker-controlled website masquerading as a legitimate domain.
To compromise private sector targets, the attackers utilized the technique of password spraying, in which, as described in the indictment, the defendants "first collected lists of names and email accounts associated with the intended victim company through open source internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords.…” According to the indictment, password spraying was the technique used against a number of federal and state agencies, as well as NGOs.
Neither of these techniques are particularly new or novel, but they have proven to be consistently effective. In the case of the universities, tailored spearphishing messages directing victims to fake login pages is difficult for defensive security (or "blue") teams to prevent. A critical control here would be to add a second authentication factor (also called multifactor authentication or MFA) for all logins, which would render the stolen username/password credentials much less valuable. It's important to enforce MFA across all accounts and not just selectively because attackers will usually find the weak link if one exists.
The attackers also purportedly utilized email forwarding rules to forward all sent and received messages from the victim mailbox to mailboxes they controlled. This is important because even if a victim organization later deployed MFA controls to prevent access to the in-box itself, the attackers would still have access to the contents of the victim's in-box and the communications of the victim. Also, if the victim organization decided to allow an email one-time pass as a secondary authentication factor, the email-forwarding rules would have allowed the attackers to regain access.
Preventing password spraying requires a well-thought-out and consistently enforced password policy as well as using a second factor of authentication. Using MFA reduces the inherent risk of having a "guessable" password by requiring a second level of user verification, such as a push verification or one-time passcode that is not easy to guess or bypass. However, for organizations where MFA is not implemented or not globally implemented, enforcing a strong password policy is a must.
Results: $3.4 Billion Worth of Stolen IP
The indictment makes several statements that describe the ultimate effectiveness of this campaign. Specifically, it alleges:
- Theft of approximately 31.5TB of academic data and intellectual property valued at $3.4 billion
- Successful compromise of approximately 320 universities globally
- Control over the user accounts and/or email in-boxes of 8,000 professors (out of over 100,000 targeted, or a success rate of approximately 8%)
- Successful compromise of 47 private organizations globally, as well as two NGOs
- Successful compromise of five state or federal agencies in the US
In addition to turning over the stolen data to the IRGC, the attackers also sold the stolen intellectual property to third parties as well as access to the accounts of professors, which could then be used to access private university computer systems.
Based on stats from the indictment, the attackers were allegedly able to compromise a new victim organization on an almost weekly basis for over five years, with very little variation in TTPs or targeting. They ran a focused and seemingly very successful campaign over an extended period of time.
In this case, attackers were able to gain control over numerous identities who had access to extensive intellectual property and then maintain control over those identities for an extended period of time. These organizations sustained significant damage without any internal systems or networks being accessed.
Password-based, single-factor authentication is no longer a sufficient access control to systems containing sensitive or private information, a fact that is widely known but continues to be a huge weakness for organizations. In fact, in June 2017 NIST published a new set of password guidelines that support additional controls. They recommended that organizations ban commonly used passwords that are often compromised by password spraying. NIST also states outright that passwords are insufficient and must be supported by MFA.
Bottom line? Organizations need to adopt a comprehensive security strategy that covers not only physical assets like data centers or servers but also online identities and the user accounts that make up those identities. As for this group, it's likely that as long as their TTPs stay effective they will continue to compromise additional targets. The indictment itself is more of a political statement and doesn't significantly affect their ability to operate.
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.
Cameron Ero is a security engineer based in San Francisco, currently working with Okta as part of their detection and response team. He has previously been a member of several blue teams including the Mandiant CIRT and the FireEye advanced detection team. Cameron is an ... View Full Bio