Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:35 AM
Connect Directly

Iran 'the New China' as a Pervasive Nation-State Hacking Threat

Security investigations by incident responders at FireEye's Mandiant in 2017 found more prolific and sophisticated attacks out of Iran.

Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran.

Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups now are maintaining and keeping a foothold in victim organizations for months and sometimes years, demonstrating their sophistication, according to Mandiant's newly published M Trends Report on its incident investigations in 2017.

"In a way, it felt like Iran was the new China," notes Charles Carmakal, a vice president at Mandiant. "There were so many Chinese threat actors in operations [in previous years], it felt like everyone had at least one Chinese actor" attacking them, he notes.

This time, it was Iran, which was one of the most prolific and pervasive nation states last year, he says. "In 2017, it felt like Iran was all over the place."

Security researchers and incident responders from various organizations have been well aware of Iran's increasing sophistication and expansion of its cyber operations. It's come a long way from its unsophisticated yet effective distributed-denial-of-service (DDoS) hacktivist-style attack MO that came to a head in late 2011 through 2013, when a DDoS campaign crippled US bank networks. The DDoS campaign hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

"When I first started tracking Iran groups in 2012, it felt like we were dealing with a bunch of amateurs with no real technical capability. They could have been confused with Anonymous … their weapon of choice was DDoS," Carmakal says. "Today, they’ve figured out how to organize, fund, and develop tools and are very successful in their offensive operations."

Adam Meyers, vice president of intelligence at CrowdStrike, says it's not so much that Iran is employing more sophisticated cyberattack weapons: they are just more savvy in how they employ them. "It's the sophistication around their tradecraft, methodologies, and operations," he says. "Their weapons are not that much more advanced. It's the way they use them [now]."

Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things don't go Iran's way. "If they want to hurt us, they want to go after financial" institutions, Meyers says.

Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. "Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals," according to the M Trends Report.

Carmakal says it's known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. 

That's something that Tom Kellermann, chief cybersecurity officer at Carbon Black, is predicting to occur in the wake of the Trump administration's tough rhetoric and possible policy changes against Iran. "Iran and North Korea never had true A teams," he says, but Iran's operations have evolved and could well be turned on US targets in the near-term.

Iran's destructive bent is where it's very different from Chinese APTs, which typically focus on cyber espionage and stealing intellectual property.


Mandiant investigated a security incident targeting an energy company early last year that illustrated Iran's more strategic cyber espionage capabilities. APT35 – aka Newscaster and newly added to Mandiant's list of APT groups – was the culprit. APT35 typically gathers intel from US and Middle Eastern military, as well as diplomatic, government, media, energy, defense industrial base, engineering, business services, and telecommunications sector targets.

In the energy company attack, APT35 infected the target via a spear phishing email with a link to a phony resume that was hosted on a compromised, but legitimate website. The resume was infected with the PUPYRAT backdoor, and the attackers dropped a custom backdoor called BROKEYOLK onto the compromised system that allowed the attackers to use the victim's VPN credentials to log into their company systems. In all, APT35 stole credentials from 500 systems in the victim's network.

The hackers also used Microsoft Exchange Client Access "cmdlets" to alter mailbox permissions in the target's email system and remain under the radar in the organization's Outlook Web Access portal. "Mandiant observed that the attacker had granted compromised accounts read access to hundreds of mailboxes with the 'Add-MailboxPermission' cmdlet," Mandiant said in its report.

That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.

"Like Chinese [APTs], they stole gigabytes of data," Carmakal says. It wasn't clear why they stole some of the information, however, he says.

In addition to APT35, Mandiant also named two other Iranian threat groups officially last year, APT33 and APT34, plus one out of Vietnam, APT32 aka Ocean Lotus.


Another telling trend from Mandiant's IR cases: nearly half of its clients with at least one high-priority attack discovery were hit again within a year. Some 56% of all managed detection and response customers whose IR cases Mandiant investigated were hit again by the same threat group or another group going after the same data or goals.

"In our experience, a fair amount of organizations who are targeted and compromised will continue to be," Carmakal says. Nation-state attackers, for instance, don't give up once they've been kicked out of a target's network. "They want access to it again," so they update and enhance their attack methods over and over, he says.

Mandiant often finds multiple hacking teams inside a targeted organization. And it seems most are unaware that they are competing with one another for access and data in the target. "It's rare for them to be looking for evidence of other threat actors. We don't think they knew the others were in there" too, he says. "They might know they have competition," however.

And in a bit of positive news, Mandiant found in its 2017 IR engagements that victim organizations are getting better at detecting attacks on their own, rather than relying on third parties to alert them. The median time for internal detection was 57.5 days for organizations around the world, down from 80 days in 2016. And 62% of attacks last year were detected internally, up from 53% in 2016.

"This is important because our data shows that incidents identified internally tend to have a much shorter dwell time," the report says.

On the flip side: worldwide, the median dwell time from compromise to discovery went up to 101 days, from 99 in 2016.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.