Threat Intelligence
2/16/2017
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iran Intensifies Its Cyberattack Activity

Middle East targets - namely Saudi Arabia - are feeling the brunt of the attacks, but experts anticipate Iran will double down on hacking US targets.

RSA CONFERENCE – San Francisco – As all eyes are on Russia's coordinated hacking and propaganda efforts aimed at influencing elections in the US and some European nations, state-sponsored attackers out of Iran are quietly cranking up their cyber spying and data-destruction attacks.  

Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but some security experts warn that the US indeed could be in the line of fire given the increasingly contentious geopolitical climate between the two nations.

Former national security advisor Michael Flynn's recent declaration that the US had put Iran "on notice" and subsequent anti-US protests and sentiment in Iran are the perfect recipe for an increase in cyber espionage and cyberattacks meant to destabilize or protest US policies on Iran, according to Adam Meyers, vice president of intelligence at CrowdStrike.

Meyers says Iran's nation-state hacking machine is more prolific than ever lately. "What's new is the level of activity we've seen, with dozens of targets in Saudi Arabia over the past two months," Meyers said in an interview here.

"One of the things we're tracking is if things escalate between the US and Iran, then we expect attacks will be likely in the financial sector" in the US in response, he said.

Iran's cyberattack operations also have matured and become more disciplined, he says. "They are showing more mature capabilities" and organization, Meyers explained. "In early 2010 to 2014, they were very open, disorganized, [as] small companies doing training and pen-testing and exploit development. Now they've aligned themselves into proper 'businesses" working on attack campaigns, he said. "We don't see them talking [about their cyber activities] as openly as before. That's notable."

In 2012, hackers believed to be out of Iran launched the devastating Shamoon data-wiping attacks on Middle East petroleum giant Saudi Aramco, damaging or wiping the hard drives of some 25,000 computers. The following year, US banks suffered a massive wave of distributed denial-of-service (DDoS) attacks that US officials blamed on Iran.

Then Shamoon reappeared in November of last year and again in January of this year, with a slightly new version of the destructive malware, hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

IBM's X-Force incident response services team, IRIS  (Incident Response and Intelligence Services), here this week, revealed its findings on just how the new Shamoon malware was unleashed on its victims, something that had been mostly speculated on for some time, given the nature of data-wiping attacks that leave little forensic evidence behind.

The latest Shamoon attacks began with a spear phishing email sent to employees at the organizations being targeted in the attacks. With those emails came a Microsoft Word document rigged with a  malicious macro that when enabled by the victim, then infected his or her machine. That generates PowerShell and allows remote command-line control of the machine, allowing the attackers to add other malware, or gain privileged access to other systems on the victim's network.

Once the attackers have enough intel to find juicy targets on the network, they deploy Shamoon, which overwrites the hard drives and disables the affected computers.

Wendi Whitmore, global lead of IBM X-Force IRIS, said her team has mostly seen the new Shamoon campaign targeting Middle East organizations. "Right now, the biggest threat is really to the Middle East region, from what we've seen," she said in an interview here. IBM did not determine the initial attack vector of the 2012 Shamoon campaigns, she said.

Whitmore said she expects more Shamoon and destructive-type attacks to come. "Especially with how dynamic the political environment is now," she said.

Meanwhile, researchers from Palo Alto Networks Unit 42 team have spotted other targeted attacks on government, energy, and technology organizations mainly in Saudi Arabia or those that do business there. PAN calls the attack group "Magic Hound," noting that it may be somehow connected to the Iranian "Rocket Kitten" cyber espionage gang.

Unit 42 stopped short of tying these attacks to the Shamoon group. Rocket Kitten is best known for keylogging and other traditional cyber spying. Like the second Shamoon attacks, Magic Hound relies on malicious macros in Microsoft Office documents that call Windows PowerShell to wrest control of the victim machines.

"The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance," according to Unit 42's research. "The two legitimate websites we were able to identify were owned by organizations in the government and energy sectors. Based on the existence of these malicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some fashion."

The initial attack vector was likely the old standby, spear phishing, according to the researchers.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/21/2017 | 4:57:48 PM
Iran
These are pretty much all well-taken points, but the anti-US protests and sentiments in Iran are hardly new (despite news organizations, who have to report something, working to make it seem like they are).

Of course, the best course of action regardless is to remain ever vigilant.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.