Operation Saffron Rose

Ajax Security Team which has been targeting both US defense companies as well as those in Iran is using popular anti-censorship tools to bypass internet censorship controls in the country.

This group which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However by 2014 this group is transitioned to malware-based espionage with use of methodology consistent with other advanced persistent threats in this region.

It is unclear if the Ajax Security Team operates in isolation or is part of a larger coordinated effort. We observed this group uses varied social engineering tactics to lure targets to infect themselves with malware. They use malware tools that do not appear to be publicly available. Although we did not see the use of to infect victims, members of the Ajax Security Team previously used exploit code in web site defacement operations.

The objectives of this group are consistent with Iran’s efforts to control political dissent and expand offensive cyber capabilities but we believe that members of the group may also be involved in traditional cybercrime. This indicates that there is a considerable gray area between the cyber espionage capabilities of Iran hacker groups and any direct Iranian government or military involvement.

Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations are somewhat successful. We assess that if these actors continued the current pace of their operations they will improve their capabilities in the mid-term.