Attacks/Breaches
4/11/2014
02:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

The worlds of politics and business often intersect in the physical world, and the realm of cyberspace is no different. This was probably no clearer than in 2013, which saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much of the talk about cyberespionage and attacks on the US has often centered on China, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.

"Although Iran has long been considered a second-tier actor behind China and Russia, recent speculation has focused on Iran's interest in perpetrating offensive network attacks against critical infrastructure targets," according to the report. "Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of two energy companies, Saudi Aramco and the Qatar-based RasGas. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus, widely believed to have been the work of the U.S. and Israel."

The energy sector in fact was one of the principal targets of many of the attacks suspected to be linked to Iranian-based hackers. Compared to hacking activities tied to China, the attacks seem less sophisticated. In the case of the Iranian-based attacks, the hackers tend to use publically-available tools rather than customized ones. They are only able to maintain a presence on compromised networks for an average of 28 days, compared with 243. In addition, 75% of the breaches suspected to be tied to Iranian hackers were detected by the victims, as opposed to 33% of attacks linked to China.

"What we did observe was activity consistent with network reconnaissance," says Laura Galante, manager of threat intelligence at Mandiant. "These suspected Iran-based actors are able to compromise a network -- albeit relying on victim networks with outdated vulnerabilities -- and have gained local administrator access."

"If these activities were simply capability tests for these actors then we would expect further probes and network reconnaissance in 2014," Galante continues. "If the ability to compromise a network was the ultimate goal of the actors’ mission, then we believe the actors would be satisfied with their current level of success. The analytic problem is that we don’t know what the actors’ end goal was, so currently either scenario is equally plausible. As stated in the report, we don’t have indications that these actors are particularly adept at developing tools nor do they have a discernible focus after they have compromised a network."

The Syrian Electronic Army (SEA), however, does appear to have a goal -- gaining the public's attention. The group has done this quite well. Since its inception in 2011, the SEA has successfully compromised more than 40 organizations, mainly websites and social media accounts belonging to major new agencies in the West, Mandiant reported.

"Mandiant’s observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations," according to the report. "Mandiant believes the SEA will continue to penetrate high-profile targets in an effort to increase publicity for the Syrian regime and demonstrate support for its embattled president, Bashar al-Assad. Although these SEA intrusions have resulted in little more than websites defaced with the SEA logo and images of Assad, they have nonetheless brought the group to the world’s attention. More significantly, they have increased fear of cyber compromise among governments and corporations alike."

The political attacks on news sites are part of an overall trend of attacks the firm observed during the year. Attacks on media and entertainment companies rose to 13% from 7% during 2012, according to the report.

"This uptick reflects the newer actors who have expanded the playing field," explains Galante. "Groups like the SEA… hit media targets to further a political agenda and probably with the hopes of gaining news coverage."

"2013 was an explosive year for the cybersecurity industry[,] a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents," blogged Helena Brito, social manager at Mandiant. "In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs01
50%
50%
securityaffairs01,
User Rank: Apprentice
4/14/2014 | 9:25:29 AM
Re: Transition from second-tier to first tier
I think that one of the most scaring results proposed by the report is that despite the number of days threat agents were present on a victim's network before detection is decreasing (14 days less than 2012), its median number is still high (229). This means that bad actors are able to remain undetected within networks of their victims for more than eight months. Amazing!

Regards

Pierluigi
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/13/2014 | 7:26:35 PM
Transition from second-tier to first tier
Interesting article. I think one thing to be aware of is the hierarchy of how these cyerattack regions are rated. If the SEA and Iranian based cyber attacks are non-customized and don't provide them prolonged access then we dictate them to be a tier 2. Rhetorically, how long until these entities refine their processes to become a tier-1 actor like China and Russia? I would say not too much longer. I think the most prevalent question here is, how to hinder their activity before they reach that point? Any thoughts on methods to slow their detrimental expansion?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.