02:48 PM

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

The worlds of politics and business often intersect in the physical world, and the realm of cyberspace is no different. This was probably no clearer than in 2013, which saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much of the talk about cyberespionage and attacks on the US has often centered on China, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.

"Although Iran has long been considered a second-tier actor behind China and Russia, recent speculation has focused on Iran's interest in perpetrating offensive network attacks against critical infrastructure targets," according to the report. "Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of two energy companies, Saudi Aramco and the Qatar-based RasGas. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus, widely believed to have been the work of the U.S. and Israel."

The energy sector in fact was one of the principal targets of many of the attacks suspected to be linked to Iranian-based hackers. Compared to hacking activities tied to China, the attacks seem less sophisticated. In the case of the Iranian-based attacks, the hackers tend to use publically-available tools rather than customized ones. They are only able to maintain a presence on compromised networks for an average of 28 days, compared with 243. In addition, 75% of the breaches suspected to be tied to Iranian hackers were detected by the victims, as opposed to 33% of attacks linked to China.

"What we did observe was activity consistent with network reconnaissance," says Laura Galante, manager of threat intelligence at Mandiant. "These suspected Iran-based actors are able to compromise a network -- albeit relying on victim networks with outdated vulnerabilities -- and have gained local administrator access."

"If these activities were simply capability tests for these actors then we would expect further probes and network reconnaissance in 2014," Galante continues. "If the ability to compromise a network was the ultimate goal of the actors’ mission, then we believe the actors would be satisfied with their current level of success. The analytic problem is that we don’t know what the actors’ end goal was, so currently either scenario is equally plausible. As stated in the report, we don’t have indications that these actors are particularly adept at developing tools nor do they have a discernible focus after they have compromised a network."

The Syrian Electronic Army (SEA), however, does appear to have a goal -- gaining the public's attention. The group has done this quite well. Since its inception in 2011, the SEA has successfully compromised more than 40 organizations, mainly websites and social media accounts belonging to major new agencies in the West, Mandiant reported.

"Mandiant’s observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations," according to the report. "Mandiant believes the SEA will continue to penetrate high-profile targets in an effort to increase publicity for the Syrian regime and demonstrate support for its embattled president, Bashar al-Assad. Although these SEA intrusions have resulted in little more than websites defaced with the SEA logo and images of Assad, they have nonetheless brought the group to the world’s attention. More significantly, they have increased fear of cyber compromise among governments and corporations alike."

The political attacks on news sites are part of an overall trend of attacks the firm observed during the year. Attacks on media and entertainment companies rose to 13% from 7% during 2012, according to the report.

"This uptick reflects the newer actors who have expanded the playing field," explains Galante. "Groups like the SEA… hit media targets to further a political agenda and probably with the hopes of gaining news coverage."

"2013 was an explosive year for the cybersecurity industry[,] a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents," blogged Helena Brito, social manager at Mandiant. "In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/14/2014 | 9:25:29 AM
Re: Transition from second-tier to first tier
I think that one of the most scaring results proposed by the report is that despite the number of days threat agents were present on a victim's network before detection is decreasing (14 days less than 2012), its median number is still high (229). This means that bad actors are able to remain undetected within networks of their victims for more than eight months. Amazing!


User Rank: Ninja
4/13/2014 | 7:26:35 PM
Transition from second-tier to first tier
Interesting article. I think one thing to be aware of is the hierarchy of how these cyerattack regions are rated. If the SEA and Iranian based cyber attacks are non-customized and don't provide them prolonged access then we dictate them to be a tier 2. Rhetorically, how long until these entities refine their processes to become a tier-1 actor like China and Russia? I would say not too much longer. I think the most prevalent question here is, how to hinder their activity before they reach that point? Any thoughts on methods to slow their detrimental expansion?
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.