Iran 'the New China' as a Pervasive Nation-State Hacking Threat

Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran.

Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups now are maintaining and keeping a foothold in victim organizations for months and sometimes years, demonstrating their sophistication, according to Mandiant's newly published M Trends Report on its incident investigations in 2017.

"In a way, it felt like Iran was the new China," notes Charles Carmakal, a vice president at Mandiant. "There were so many Chinese threat actors in operations [in previous years], it felt like everyone had at least one Chinese actor" attacking them, he notes.

This time, it was Iran, which was one of the most prolific and pervasive nation states last year, he says. "In 2017, it felt like Iran was all over the place."

Security researchers and incident responders from various organizations have been well aware of Iran's increasing sophistication and expansion of its cyber operations. It's come a long way from its unsophisticated yet effective distributed-denial-of-service (DDoS) hacktivist-style attack MO that came to a head in late 2011 through 2013, when a DDoS campaign crippled US bank networks. The DDoS campaign hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

"When I first started tracking Iran groups in 2012, it felt like we were dealing with a bunch of amateurs with no real technical capability. They could have been confused with Anonymous … their weapon of choice was DDoS," Carmakal says. "Today, they’ve figured out how to organize, fund, and develop tools and are very successful in their offensive operations."

Adam Meyers, vice president of intelligence at CrowdStrike, says it's not so much that Iran is employing more sophisticated cyberattack weapons: they are just more savvy in how they employ them. "It's the sophistication around their tradecraft, methodologies, and operations," he says. "Their weapons are not that much more advanced. It's the way they use them [now]."

Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things don't go Iran's way. "If they want to hurt us, they want to go after financial" institutions, Meyers says.

Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. "Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals," according to the M Trends Report.

Carmakal says it's known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. 

That's something that Tom Kellermann, chief cybersecurity officer at Carbon Black, is predicting to occur in the wake of the Trump administration's tough rhetoric and possible policy changes against Iran. "Iran and North Korea never had true A teams," he says, but Iran's operations have evolved and could well be turned on US targets in the near-term.

Iran's destructive bent is where it's very different from Chinese APTs, which typically focus on cyber espionage and stealing intellectual property.

APT35

Mandiant investigated a security incident targeting an energy company early last year that illustrated Iran's more strategic cyber espionage capabilities. APT35 – aka Newscaster and newly added to Mandiant's list of APT groups – was the culprit. APT35 typically gathers intel from US and Middle Eastern military, as well as diplomatic, government, media, energy, defense industrial base, engineering, business services, and telecommunications sector targets.

In the energy company attack, APT35 infected the target via a spear phishing email with a link to a phony resume that was hosted on a compromised, but legitimate website. The resume was infected with the PUPYRAT backdoor, and the attackers dropped a custom backdoor called BROKEYOLK onto the compromised system that allowed the attackers to use the victim's VPN credentials to log into their company systems. In all, APT35 stole credentials from 500 systems in the victim's network.

The hackers also used Microsoft Exchange Client Access "cmdlets" to alter mailbox permissions in the target's email system and remain under the radar in the organization's Outlook Web Access portal. "Mandiant observed that the attacker had granted compromised accounts read access to hundreds of mailboxes with the 'Add-MailboxPermission' cmdlet," Mandiant said in its report.

That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.

"Like Chinese [APTs], they stole gigabytes of data," Carmakal says. It wasn't clear why they stole some of the information, however, he says.

In addition to APT35, Mandiant also named two other Iranian threat groups officially last year, APT33 and APT34, plus one out of Vietnam, APT32 aka Ocean Lotus.

Whack-A-Mole

Another telling trend from Mandiant's IR cases: nearly half of its clients with at least one high-priority attack discovery were hit again within a year. Some 56% of all managed detection and response customers whose IR cases Mandiant investigated were hit again by the same threat group or another group going after the same data or goals.

"In our experience, a fair amount of organizations who are targeted and compromised will continue to be," Carmakal says. Nation-state attackers, for instance, don't give up once they've been kicked out of a target's network. "They want access to it again," so they update and enhance their attack methods over and over, he says.

Mandiant often finds multiple hacking teams inside a targeted organization. And it seems most are unaware that they are competing with one another for access and data in the target. "It's rare for them to be looking for evidence of other threat actors. We don't think they knew the others were in there" too, he says. "They might know they have competition," however.

And in a bit of positive news, Mandiant found in its 2017 IR engagements that victim organizations are getting better at detecting attacks on their own, rather than relying on third parties to alert them. The median time for internal detection was 57.5 days for organizations around the world, down from 80 days in 2016. And 62% of attacks last year were detected internally, up from 53% in 2016.

"This is important because our data shows that incidents identified internally tend to have a much shorter dwell time," the report says.

On the flip side: worldwide, the median dwell time from compromise to discovery went up to 101 days, from 99 in 2016.

Related Content:

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.