Attacks/Breaches

3/29/2018
12:30 PM
Cameron Ero
Cameron Ero
Commentary
50%
50%

Deconstructing the DOJ Iranian Hacking Indictment

The alleged attackers used fairly simple tools, techniques and procedures to compromise a new victim organization on an almost weekly basis for over five years.

On March 23, the United States Justice Department unsealed an indictment against nine attackers operating out of Iran, believed to be working on behalf of the Iranian government. The indictment outlined the tools and techniques used, who was targeted, what the attackers were after, and how successful they were in compromising their targets.

More importantly, we learned that the defendants are purported to have run an incredibly successful campaign over a five-year period using fairly simple techniques to gain access to a variety of primarily academic targets. The indictment does not discuss anything related to exploits, compromised computers, malware, or any other technical tools or techniques commonly associated with breaches. It appears that the attackers were able to accomplish all of their objectives using a combination of tailored spearphishing messages utilizing open source information from the Internet and automated password spraying. Their end goal appears to be to gain control of the user accounts of individuals in order to harvest intellectual property. Let's dig in.

Campaign Scope
According to the newly unsealed indictment, these attackers conducted "coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States based universities...176 universities located in 21 foreign countries...at the behest of the Government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC)." These attacks have been ongoing since approximately 2013.

The attackers also targeted a number of federal and state agencies, including the United Nations, the Federal Energy Regulatory Commission, and two state governments (Hawaii and Indiana), as well as private organizations ranging across almost a dozen different business verticals, from biotechnology to stock image sales. According to the indictment the attackers were able to compromise five agencies, 47 private sector companies, and two nongovernmental organizations (NGOs).

According to the indictment, the group attacked not one but two private organizations that deal in online automobile sales and a company that specializes in food and beverages — companies that likely never considered that they'd be the target of attackers working for the Iranian military. The reality is that nation-state-sponsored attackers are not just looking for state secrets but also intellectual property (IP) or personally identifiable information. As such, all organizations need to take appropriate precautions to protect themselves and follow best practices — such as strong password policies and multifactor authentication — for security.

Attacker TTPs
According to the indictment, the hackers used tools, techniques, and procedures (TTPs) commonly associated with advanced persistent threat actors to compromise the accounts of university professors. They started with reconnaissance of their targets using open source information from the Internet, focusing on academic interests and publications. They then followed up with tailored spearphishing emails from external email addresses, or from other compromised victims' email in-boxes. The objective of these spearphishing messages was to use social engineering to trick the professors into entering their credentials (in this case, username and password) into an attacker-controlled website masquerading as a legitimate domain.

To compromise private sector targets, the attackers utilized the technique of password spraying, in which, as described in the indictment, the defendants "first collected lists of names and email accounts associated with the intended victim company through open source internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords.…” According to the indictment, password spraying was the technique used against a number of federal and state agencies, as well as NGOs.

Neither of these techniques are particularly new or novel, but they have proven to be consistently effective. In the case of the universities, tailored spearphishing messages directing victims to fake login pages is difficult for defensive security (or "blue") teams to prevent. A critical control here would be to add a second authentication factor (also called multifactor authentication or MFA) for all logins, which would render the stolen username/password credentials much less valuable. It's important to enforce MFA across all accounts and not just selectively because attackers will usually find the weak link if one exists.

The attackers also purportedly utilized email forwarding rules to forward all sent and received messages from the victim mailbox to mailboxes they controlled. This is important because even if a victim organization later deployed MFA controls to prevent access to the in-box itself, the attackers would still have access to the contents of the victim's in-box and the communications of the victim. Also, if the victim organization decided to allow an email one-time pass  as a secondary authentication factor, the email-forwarding rules would have allowed the attackers to regain access.

Preventing password spraying requires a well-thought-out and consistently enforced password policy as well as using a second factor of authentication. Using MFA reduces the inherent risk of having a "guessable" password by requiring a second level of user verification, such as a push verification or one-time passcode that is not easy to guess or bypass. However, for organizations where MFA is not implemented or not globally implemented, enforcing a strong password policy is a must.

Results: $3.4 Billion Worth of Stolen IP
The indictment makes several statements that describe the ultimate effectiveness of this campaign. Specifically, it alleges:

  • Theft of approximately 31.5TB of academic data and intellectual property valued at $3.4 billion
  • Successful compromise of approximately 320 universities globally
  • Control over the user accounts and/or email in-boxes of 8,000 professors (out of over 100,000 targeted, or a success rate of approximately 8%)
  • Successful compromise of 47 private organizations globally, as well as two NGOs
  • Successful compromise of five state or federal agencies in the US

In addition to turning over the stolen data to the IRGC, the attackers also sold the stolen intellectual property to third parties as well as access to the accounts of professors, which could then be used to access private university computer systems.

Based on stats from the indictment, the attackers were allegedly able to compromise a new victim organization on an almost weekly basis for over five years, with very little variation in TTPs or targeting. They ran a focused and seemingly very successful campaign over an extended period of time.

Lessons Learned
In this case, attackers were able to gain control over numerous identities who had access to extensive intellectual property and then maintain control over those identities for an extended period of time. These organizations sustained significant damage without any internal systems or networks being accessed.

Password-based, single-factor authentication is no longer a sufficient access control to systems containing sensitive or private information, a fact that is widely known but continues to be a huge weakness for organizations. In fact, in June 2017 NIST published a new set of password guidelines that support additional controls. They recommended that organizations ban commonly used passwords that are often compromised by password spraying. NIST also states outright that passwords are insufficient and must be supported by MFA.

Bottom line? Organizations need to adopt a comprehensive security strategy that covers not only physical assets like data centers or servers but also online identities and the user accounts that make up those identities. As for this group, it's likely that as long as their TTPs stay effective they will continue to compromise additional targets. The indictment itself is more of a political statement and doesn't significantly affect their ability to operate.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Cameron Ero is a security engineer based in San Francisco, currently working with Okta as part of their detection and response team. He has previously been a member of several blue teams including the Mandiant CIRT and the FireEye advanced detection team. Cameron is an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.
CVE-2018-19961
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-19962
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-19963
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
CVE-2018-19964
PUBLISHED: 2018-12-08
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.