Attacks/Breaches
4/11/2014
02:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

The worlds of politics and business often intersect in the physical world, and the realm of cyberspace is no different. This was probably no clearer than in 2013, which saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much of the talk about cyberespionage and attacks on the US has often centered on China, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.

"Although Iran has long been considered a second-tier actor behind China and Russia, recent speculation has focused on Iran's interest in perpetrating offensive network attacks against critical infrastructure targets," according to the report. "Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of two energy companies, Saudi Aramco and the Qatar-based RasGas. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus, widely believed to have been the work of the U.S. and Israel."

The energy sector in fact was one of the principal targets of many of the attacks suspected to be linked to Iranian-based hackers. Compared to hacking activities tied to China, the attacks seem less sophisticated. In the case of the Iranian-based attacks, the hackers tend to use publically-available tools rather than customized ones. They are only able to maintain a presence on compromised networks for an average of 28 days, compared with 243. In addition, 75% of the breaches suspected to be tied to Iranian hackers were detected by the victims, as opposed to 33% of attacks linked to China.

"What we did observe was activity consistent with network reconnaissance," says Laura Galante, manager of threat intelligence at Mandiant. "These suspected Iran-based actors are able to compromise a network -- albeit relying on victim networks with outdated vulnerabilities -- and have gained local administrator access."

"If these activities were simply capability tests for these actors then we would expect further probes and network reconnaissance in 2014," Galante continues. "If the ability to compromise a network was the ultimate goal of the actors’ mission, then we believe the actors would be satisfied with their current level of success. The analytic problem is that we don’t know what the actors’ end goal was, so currently either scenario is equally plausible. As stated in the report, we don’t have indications that these actors are particularly adept at developing tools nor do they have a discernible focus after they have compromised a network."

The Syrian Electronic Army (SEA), however, does appear to have a goal -- gaining the public's attention. The group has done this quite well. Since its inception in 2011, the SEA has successfully compromised more than 40 organizations, mainly websites and social media accounts belonging to major new agencies in the West, Mandiant reported.

"Mandiant’s observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations," according to the report. "Mandiant believes the SEA will continue to penetrate high-profile targets in an effort to increase publicity for the Syrian regime and demonstrate support for its embattled president, Bashar al-Assad. Although these SEA intrusions have resulted in little more than websites defaced with the SEA logo and images of Assad, they have nonetheless brought the group to the world’s attention. More significantly, they have increased fear of cyber compromise among governments and corporations alike."

The political attacks on news sites are part of an overall trend of attacks the firm observed during the year. Attacks on media and entertainment companies rose to 13% from 7% during 2012, according to the report.

"This uptick reflects the newer actors who have expanded the playing field," explains Galante. "Groups like the SEA… hit media targets to further a political agenda and probably with the hopes of gaining news coverage."

"2013 was an explosive year for the cybersecurity industry[,] a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents," blogged Helena Brito, social manager at Mandiant. "In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs01
50%
50%
securityaffairs01,
User Rank: Apprentice
4/14/2014 | 9:25:29 AM
Re: Transition from second-tier to first tier
I think that one of the most scaring results proposed by the report is that despite the number of days threat agents were present on a victim's network before detection is decreasing (14 days less than 2012), its median number is still high (229). This means that bad actors are able to remain undetected within networks of their victims for more than eight months. Amazing!

Regards

Pierluigi
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/13/2014 | 7:26:35 PM
Transition from second-tier to first tier
Interesting article. I think one thing to be aware of is the hierarchy of how these cyerattack regions are rated. If the SEA and Iranian based cyber attacks are non-customized and don't provide them prolonged access then we dictate them to be a tier 2. Rhetorically, how long until these entities refine their processes to become a tier-1 actor like China and Russia? I would say not too much longer. I think the most prevalent question here is, how to hinder their activity before they reach that point? Any thoughts on methods to slow their detrimental expansion?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.