Threat Intelligence
2/16/2017
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iran Intensifies Its Cyberattack Activity

Middle East targets - namely Saudi Arabia - are feeling the brunt of the attacks, but experts anticipate Iran will double down on hacking US targets.

RSA CONFERENCE – San Francisco – As all eyes are on Russia's coordinated hacking and propaganda efforts aimed at influencing elections in the US and some European nations, state-sponsored attackers out of Iran are quietly cranking up their cyber spying and data-destruction attacks.  

Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but some security experts warn that the US indeed could be in the line of fire given the increasingly contentious geopolitical climate between the two nations.

Former national security advisor Michael Flynn's recent declaration that the US had put Iran "on notice" and subsequent anti-US protests and sentiment in Iran are the perfect recipe for an increase in cyber espionage and cyberattacks meant to destabilize or protest US policies on Iran, according to Adam Meyers, vice president of intelligence at CrowdStrike.

Meyers says Iran's nation-state hacking machine is more prolific than ever lately. "What's new is the level of activity we've seen, with dozens of targets in Saudi Arabia over the past two months," Meyers said in an interview here.

"One of the things we're tracking is if things escalate between the US and Iran, then we expect attacks will be likely in the financial sector" in the US in response, he said.

Iran's cyberattack operations also have matured and become more disciplined, he says. "They are showing more mature capabilities" and organization, Meyers explained. "In early 2010 to 2014, they were very open, disorganized, [as] small companies doing training and pen-testing and exploit development. Now they've aligned themselves into proper 'businesses" working on attack campaigns, he said. "We don't see them talking [about their cyber activities] as openly as before. That's notable."

In 2012, hackers believed to be out of Iran launched the devastating Shamoon data-wiping attacks on Middle East petroleum giant Saudi Aramco, damaging or wiping the hard drives of some 25,000 computers. The following year, US banks suffered a massive wave of distributed denial-of-service (DDoS) attacks that US officials blamed on Iran.

Then Shamoon reappeared in November of last year and again in January of this year, with a slightly new version of the destructive malware, hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

IBM's X-Force incident response services team, IRIS  (Incident Response and Intelligence Services), here this week, revealed its findings on just how the new Shamoon malware was unleashed on its victims, something that had been mostly speculated on for some time, given the nature of data-wiping attacks that leave little forensic evidence behind.

The latest Shamoon attacks began with a spear phishing email sent to employees at the organizations being targeted in the attacks. With those emails came a Microsoft Word document rigged with a  malicious macro that when enabled by the victim, then infected his or her machine. That generates PowerShell and allows remote command-line control of the machine, allowing the attackers to add other malware, or gain privileged access to other systems on the victim's network.

Once the attackers have enough intel to find juicy targets on the network, they deploy Shamoon, which overwrites the hard drives and disables the affected computers.

Wendi Whitmore, global lead of IBM X-Force IRIS, said her team has mostly seen the new Shamoon campaign targeting Middle East organizations. "Right now, the biggest threat is really to the Middle East region, from what we've seen," she said in an interview here. IBM did not determine the initial attack vector of the 2012 Shamoon campaigns, she said.

Whitmore said she expects more Shamoon and destructive-type attacks to come. "Especially with how dynamic the political environment is now," she said.

Meanwhile, researchers from Palo Alto Networks Unit 42 team have spotted other targeted attacks on government, energy, and technology organizations mainly in Saudi Arabia or those that do business there. PAN calls the attack group "Magic Hound," noting that it may be somehow connected to the Iranian "Rocket Kitten" cyber espionage gang.

Unit 42 stopped short of tying these attacks to the Shamoon group. Rocket Kitten is best known for keylogging and other traditional cyber spying. Like the second Shamoon attacks, Magic Hound relies on malicious macros in Microsoft Office documents that call Windows PowerShell to wrest control of the victim machines.

"The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance," according to Unit 42's research. "The two legitimate websites we were able to identify were owned by organizations in the government and energy sectors. Based on the existence of these malicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some fashion."

The initial attack vector was likely the old standby, spear phishing, according to the researchers.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/21/2017 | 4:57:48 PM
Iran
These are pretty much all well-taken points, but the anti-US protests and sentiments in Iran are hardly new (despite news organizations, who have to report something, working to make it seem like they are).

Of course, the best course of action regardless is to remain ever vigilant.
blake.moore
100%
0%
blake.moore,
User Rank: Author
2/23/2017 | 11:29:55 AM
Intent & Capability
I took particular note in the statement that the largest threat right now is to the Middle East region. Thats fair, but the Iranian actors leverage both a capability and an intent to achieve a political objective. The intent can change very quickly to another target/country/industry based on geo-political dynamics. Although the current threat (capability + intent) may be to the Middle East, indicators should be closely watched in the event this dynamic begins to change. Infosec professionals can leverage analytic tradecraft to produce anticipatory cyber threat intelligence to help brunt a future attempt.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.