Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/4/2018
11:35 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iran 'the New China' as a Pervasive Nation-State Hacking Threat

Security investigations by incident responders at FireEye's Mandiant in 2017 found more prolific and sophisticated attacks out of Iran.

Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran.

Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups now are maintaining and keeping a foothold in victim organizations for months and sometimes years, demonstrating their sophistication, according to Mandiant's newly published M Trends Report on its incident investigations in 2017.

"In a way, it felt like Iran was the new China," notes Charles Carmakal, a vice president at Mandiant. "There were so many Chinese threat actors in operations [in previous years], it felt like everyone had at least one Chinese actor" attacking them, he notes.

This time, it was Iran, which was one of the most prolific and pervasive nation states last year, he says. "In 2017, it felt like Iran was all over the place."

Security researchers and incident responders from various organizations have been well aware of Iran's increasing sophistication and expansion of its cyber operations. It's come a long way from its unsophisticated yet effective distributed-denial-of-service (DDoS) hacktivist-style attack MO that came to a head in late 2011 through 2013, when a DDoS campaign crippled US bank networks. The DDoS campaign hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

"When I first started tracking Iran groups in 2012, it felt like we were dealing with a bunch of amateurs with no real technical capability. They could have been confused with Anonymous … their weapon of choice was DDoS," Carmakal says. "Today, they’ve figured out how to organize, fund, and develop tools and are very successful in their offensive operations."

Adam Meyers, vice president of intelligence at CrowdStrike, says it's not so much that Iran is employing more sophisticated cyberattack weapons: they are just more savvy in how they employ them. "It's the sophistication around their tradecraft, methodologies, and operations," he says. "Their weapons are not that much more advanced. It's the way they use them [now]."

Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things don't go Iran's way. "If they want to hurt us, they want to go after financial" institutions, Meyers says.

Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. "Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals," according to the M Trends Report.

Carmakal says it's known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. 

That's something that Tom Kellermann, chief cybersecurity officer at Carbon Black, is predicting to occur in the wake of the Trump administration's tough rhetoric and possible policy changes against Iran. "Iran and North Korea never had true A teams," he says, but Iran's operations have evolved and could well be turned on US targets in the near-term.

Iran's destructive bent is where it's very different from Chinese APTs, which typically focus on cyber espionage and stealing intellectual property.

APT35

Mandiant investigated a security incident targeting an energy company early last year that illustrated Iran's more strategic cyber espionage capabilities. APT35 – aka Newscaster and newly added to Mandiant's list of APT groups – was the culprit. APT35 typically gathers intel from US and Middle Eastern military, as well as diplomatic, government, media, energy, defense industrial base, engineering, business services, and telecommunications sector targets.

In the energy company attack, APT35 infected the target via a spear phishing email with a link to a phony resume that was hosted on a compromised, but legitimate website. The resume was infected with the PUPYRAT backdoor, and the attackers dropped a custom backdoor called BROKEYOLK onto the compromised system that allowed the attackers to use the victim's VPN credentials to log into their company systems. In all, APT35 stole credentials from 500 systems in the victim's network.

The hackers also used Microsoft Exchange Client Access "cmdlets" to alter mailbox permissions in the target's email system and remain under the radar in the organization's Outlook Web Access portal. "Mandiant observed that the attacker had granted compromised accounts read access to hundreds of mailboxes with the 'Add-MailboxPermission' cmdlet," Mandiant said in its report.

That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.

"Like Chinese [APTs], they stole gigabytes of data," Carmakal says. It wasn't clear why they stole some of the information, however, he says.

In addition to APT35, Mandiant also named two other Iranian threat groups officially last year, APT33 and APT34, plus one out of Vietnam, APT32 aka Ocean Lotus.

Whack-A-Mole

Another telling trend from Mandiant's IR cases: nearly half of its clients with at least one high-priority attack discovery were hit again within a year. Some 56% of all managed detection and response customers whose IR cases Mandiant investigated were hit again by the same threat group or another group going after the same data or goals.

"In our experience, a fair amount of organizations who are targeted and compromised will continue to be," Carmakal says. Nation-state attackers, for instance, don't give up once they've been kicked out of a target's network. "They want access to it again," so they update and enhance their attack methods over and over, he says.

Mandiant often finds multiple hacking teams inside a targeted organization. And it seems most are unaware that they are competing with one another for access and data in the target. "It's rare for them to be looking for evidence of other threat actors. We don't think they knew the others were in there" too, he says. "They might know they have competition," however.

And in a bit of positive news, Mandiant found in its 2017 IR engagements that victim organizations are getting better at detecting attacks on their own, rather than relying on third parties to alert them. The median time for internal detection was 57.5 days for organizations around the world, down from 80 days in 2016. And 62% of attacks last year were detected internally, up from 53% in 2016.

"This is important because our data shows that incidents identified internally tend to have a much shorter dwell time," the report says.

On the flip side: worldwide, the median dwell time from compromise to discovery went up to 101 days, from 99 in 2016.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...