Last month the UN General Assembly once again condemned Iran for its continuing and systematic violations of human rights. Sunday 10 December was United Nations Day of Human Rights and was marked by protests such as those involving Iranians who live in Paris, which highlighted the terrible human rights record of the Islamic Regime.
The regime of the clerics is swift to identify and crush any such activities within Iran, but this anti-human rights sentiment appears now to have spread to the web; the Clearsky report indicates human right activities have been specifically isolated and targeted by the Charming Kitten hackers. Are the hackers acting upon direct orders from the regime or are they acting for themselves because they support the regime's views on human rights?
Since my last post in October, there has been no confirmation of which group was behind the cyber-attack on Westminster, or the role of the Iranian government in sponsoring or tasking the attackers (as noted in my last blog, The Times newspaper reported that the Iranian state was likely behind the attack). Since then, the Israeli General Nadav Padan, in charge of Israel's network security, has spoken out about the growing number of attacks orchestrated by Iranian state-sponsored hackers against Israel. General Padan, who is Head of the IDF C41 Cyber Defese Directorate, told the Reuters Cyber Security Summit that Iran is now responsible for many of the thousands of attacks carried out on Israel each day. The controversial nature of Israeli Foreign Policy continues to stimulate acts of retribution from the Arab states, and Iranian cyber-attacks will, at least to some extent, represent long-standing resentment caused by the Stuxnet attack - rumored to have been carried out jointly by Israel and the US in 2010. This is surely evidence that Iran is continuing to wage war in the cyber domain.
General Nadav Padan Iran has featured heavily in the news of late. John Kerry (former US Secretary), recently rebuffed Donald Trump's claims that Iran is violating the Joint Comprehensive Plan of Action (JCOPA), arguing that there is no 'scientific bases' and 'no evidence' for Trump's claims, and that retaining the Iran nuclear deal is key to preventing a nuclear arms race in the Middle-East. Whilst there may be no evidence to indicate that Iran is defying the terms of the nuclear deal, the USA remains at the center of the cyber-attacks (see my earlier article: Iranian Hacking Threat to US if Nuclear Deal Collapses). However, last month's attack on the UK Parliament demonstrates that Iranian hostility is not confined to the US and Israel; the governments of other Western states are also being targeted. In the meantime, the people of Iran continue to suffer 'collateral damage', as they lose out form US government restrictions that prevent Iranians from hosting apps on the Apple and Google app stores. Iranians had previously been able to access and download Apple and Google software (as Communications Technology was exempt from the Iran embargo), and activists are putting pressure on Office of Foreign Assets Control (OFAC) to return to the Obama administration policy.
The United Kingdom (UK) Parliament appears to have been hacked by Iran. The cyber-attack on 23 June 2017 was a brute-force attack against 9000 email accounts including the UK Prime Minister Theresa May and in total between 30 to 90 members of Parliament.
The UK Times newspaper which broke the story, said that it was Iran’s first significant act of cyber-warfare on the UK and underlines its emergence as one of the world’s biggest cyber powers and that Iran is highly capable of such attacks.
The decision to publish the information now is interesting, coming after the US President Donald Trump's intent to withdraw from the JCPOA (Joint Comprehensive Plan of Action) against Iran, which could threaten to re-instate sanctions against Iran. The UK, France and Germany do not agree with the USA on the matter. Without complete agreement, perhaps Iran will not suffer from any new sanctions against it, as it appears that Iran has not violated any of the sanctions.
Iranian regime attack or amateur hackers?
The attack, which was suspected of being originally from Russia, may have been carried out by amateur hackers. At the time of the attack in June, it was said that the attackers could only break into the email accounts of members of Parliament (MPs) which had simple, easy to hack passwords. As a security response at the time, MPs were unable to access their accounts and had to communicate using SMS texts instead. It now seems, however, that the regime may perhaps have after all been behind the attack?
Reasons for the attack
The reasons for the attack are unknown (or at least the British Intelligence services are not saying), but could be:
Exploratory activities: Iran may have been looking for UK data that Iran could then force the UK to make concessions with, or that could compromise the interests of the UK
Iran may have been looking for a trade advantage
More worryingly is the possibility that the IRGC (Iranian Revolutionary Guards Corps) may be seeking to undermine Iran's anti-nuclear proliferation deal in order to get it scrapped; Iran could then restart its nuclear weapons research.
The IRGC are at odds with President Hassan Rouhani, who they see as being too pro-West and the religious leader of the regime, Ayatollah Khamenei is linked with the IRGC, so there is an ongoing rift between the religious and political leadership of Iran, partly due to Rouhani slashing the IRGC's budget to restrict their economic activities.
An uncertain future
In my previous article, it is possible that Iran may seek to increase cyber-attacks against the USA if the US walked away from the JCPOA. Now that President Trump appears to be doing that, even if Germany, UK and France don't agree, we may see an increase in the cyber war from Iran against the West.
Since the signing of the nuclear deal between the USA and Iran in 2015 (the Joint Comprehensive Plan of Action (JCPOA)), Iranian cyber attacks against the USA have dropped off.
The U.S. and six partners began discussions with Iran in 2013 to lift some economic sanctions to limit Iranian nuclear developments, and since then Iranian hackers have largely reduced attacks against the U.S., focusing instead on industrial espionage and hitting rival Middle Eastern countries. However, with the threat by the U.S. President Donald Trump to walk away from the deal, there are fears that Iran will re-start cyber-attacks against the USA.
The cyber-security research company FireEye have produced a report which has identified an Iranian-government group that FireEye have called APT33 (APT means Advanced Persistent Threat, indicating state-involvement). APT33 has previously attacked using spear-phishing techniques to target companies involved in the petrochemical industry and in military and commercial aviation. Could APT33 or similar be ready to attack the U.S. if Trump quits the JCPOA?
A Short History of Iranian Cyber-attacks
2010: It was suspected that the U.S. and Israel attacked Iran with the Stuxnet malware, damaging Iranian nuclear control equipment at the Natanz uranium enrichment plant.
2011/2013: In possible response to Stuxnet, Iran used DDoS (Distributed Denial of Service) Operation Ababil attacks against over 45 major financial institutions. Seven members of the Iranian ITSec Team were subsequently indicted by the FBI for over 176 days of DDoS attacks against the U.S. and also the attack against the Bowman Dam.
2012: APT33 attack the Saudi Aramco oil company using the Shamoon malware, destroying thousands of computers in that company.
2015: After JCPOA, large-scale Iranian attacks against the U.S. dropped off, although this may also have been due to Iran's concerns with Syria and Yemen. Also, APT33 continued espionage attacks against the U.S., South Korea and Saudi. In 2015, many Iranian hacking forums and use of hacker handles disappeared, probably because Iran realized that they were under greater scrutiny.
2016/2017: APT33 attacked Saudi and U.S. aerospace companies, along with attacks against a South Korean petrochemical company. In May 2017, APT33 attacked a Saudi organization and a South Korean company using malicious spear-phishing emails attempting to target victims with job vacancies for a Saudi petrochemical company.
The FireEye APT33 Report
FireEye state that APT33 used an Iranian developed web-shell developed by the hacker Solevisibile to craft the spear-phishing emails to targets. The webshell (called ALFASHELL, ALFA TEaM Shell v2-Fake Mail), has the default sender email address of solevisible@gmail.com. It is not known if Solevisible is linked with APT33 or not.
APT33 used domain masquerading as the following companies: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia, and Vinnell Arabia. APT33 used the domains to target victims with spear-phishing emails.
FireEye identified the hacker xman_1365_x as being the developer of a backdoor used in APT33 malware. It appears that xman_1365_x was also a manager in the Barnamenevis Iranian programming & software engineering forum, and registered accounts in the Iranian Shabgard and Ashiyane forums. The hacker xman_1365_x is also linked with the Nasr Institute, which is similar to Iran’s cyber army and controlled by the Iranian government. The Nasr Institute appears to be linked to the 2011-2013 DDoS attacks on the financial industry (Operation Ababil).
Further indications that Iran is behind APT33
A malware dropper (known as StoneDrill) used by APT33 has Farsi language artifacts in it.
APT33’s targeting of organizations involved in aerospace and energy is aligned with with nation-state interests (not those of cyber-criminal groups), implying that APT33 is probably government sponsored.
Iranian working hours; APT33 worked at the time zone close to 04:30 hours ahead of UTC, which heavily indicates Iran. APT33 largely operated on days that correspond to the Iranian working week (Saturday to Wednesday). Iran is one of few countries that subscribes to a Saturday to Wednesday working week.
APT33 used popular Iranian hacker tools and DNS servers used by other suspected Iranian hackers. The publicly available backdoors & tools utilized by APT33 (including NANOCORE, NETWIRE, and ALFA Shell) are available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups.
Recent articles have shown that the Iranian State has used computer malware Shamoon and linked malware StoneDrill and NewsBeef to damage others. Instead of glorifying Iran, the exposing of such activity by well-known companies like Kaspersky Lab, discussion on the Iranian Exploit Database (IEDB) forum and articles on the Iran Cyber News Agency (ICNA) site has damaged its reputation.
IEDB
Iranian Cyber News Agency (ICNA)
Despite trying to hide their identities, simple investigations have revelaed the identities of those who are involved within the IRGC at the Imam Hossein University (IHU).
Imam Hossein University (IHU)
This is supposed to be a seat of learning, but it seems that the education of students is for purposes other than knowledge. The IRGC officers who pose as professors and academics, have put their hands in the hand of their masters. We have seen the State has turned against its own with controls on the Internet. Are students there helping to suffocate the true Iranian voice? Instead of serving the people of Iran, students can apply to trade-off their military service, by doing 'project' work. The IRGC claim to offer a trade-off to students to exchange time spent on projects for a reduction of their military commitment. The IHU offered sites for students to do this. What sort of exchange do students actually receive? Months of hard work for a few days respite? Military service should be exactly this: to protect the people of Iran, not hiding away working on developing malware that has only served to show us in a bad light internationally, and does not benefit the State. It is far from unknown for the IRGC to make money from their work, and some of this malware development may be to extort money from victims to gain finances for their own personal 'projects'. The ill-gotten gains will not be shared with the authors. There are other Universities - University of Tehran, Iran University of Science and Technology, and Sharif University of Technology, that are not so closely linked to the State, where studies can be conducted without the shadow that hangs over the Imam Hossein University. Already, there are people being sought by foreign nations for arrest because of their work for the State against others. Last year with the ITSec Team and again this year, with other actors Ajily and Rezakhahthat the Americans have indicted those involved in malware attacks. With the publication of the recent articles we are sure that the concentration of the West will be even more closely focused on Iran. This work is linked back to the IHU, so how long will it be before others are exposed? The risks of working for the Iranian State It may be in the future that Iranians will be freer to travel and work overseas; already we see that Russia is keen to allow visa-free travel to Iranians. If those involved with this malware work are identified, they will be denied the opportunities this would bring them and their families. Travelling overseas, individuals would be at risk of being diverted to an airport in a country with an extradition agreement with the U.S. Students could then be arrested and then sent to face the justice of the U.S. courts. They must realize that they are jeopardizing their futures... Not only is it their futures at stake; President Rouhani has worked hard to lift sanctions on Iran. Can it be that the IRGC will use students to bring down a new round of punishment for all citizens? CNN has recently suggested that Iranian cyber actors are using LinkedIn to target U.S. nationals. The U.S. will not stand idly by as we know from the past. Only last month, new sanctions were put in place by the U.S. congress. The selfish actions of a few will affect the many. If blame is sought from within, will the IRGC shoulder the responsibility, or will they suggest that students had acted on their own and leave them to face the resulting severe penalties and national shame?
A superseding indictment was unsealed on August 8 2017 charging Iranian hackers Arash Amiri Abedian -31- and Danial Jeloudar -27- with:
Aggravated identity theft
Wire fraud
Criminal conspiracy relating to access device fraud,unauthorized access to, and theft of information from, computers, and threatening to damage a computer.
In October 2007 Abedian and Jeloudar, living in Iran, conspired together to violate multiple U.S. criminal statutes. The indictment states they obtained stolen credit card numbers and related personal information by hacking, and used that information to defraud and extort money, goods and services from victims in the U.S. and elsewhere.
Between 2011 and 2016, Abedian used malicious software (malware) to capture the credit card and other personal information of individuals who had transacted with various websites. Abedian used that information to commit identity theft and get goods and services by fraud, and, on some occasions, Abedian transmitted the stolen information to Jeloudar. On 21 February 2012, Abedian sent Jeloudar approximately 30,000 names and numbers, which he said were unauthorized credit card numbers and associated information. Around March 2012 and April 2012, Jeloudar ordered and obtained various equipment, servers, and internet hosting services from a provider in South Carolina using stolen credit card numbers and other personal identifiers.
Arash Amiri Abedian
Danial Jeloudar
In January 2017, Jeloudar contacted a Californian online merchant and threatened to disclose its customers’ credit card numbers and other related information previously obtained by hacking the merchant‘s website, unless it made a Bitcoin payment to Jeloudar. Jeloudar also threatened to disclose to the company’s customers that their private information had been compromised and launched a denial-of-service attack (DoS) on the company’s website. References U.S. Department of Justice indictment link FBI Wanted poster for Arash Amiri Abedian link FBI Wanted poster for Danial Jeloudar link
The U.S. FBI -Federal Bureau of Investigation- has announced the indictments of two Iranian hackers.
The hackers are Mohammed Reza Rezakhah-aged 39- and Mohammed Saeed Ajily-aged 35-. They have both been charged with the following:
Criminal conspiracy relating to computer fraud and abuse
Unauthorized access to and theft of information from computers
Wire fraud
Exporting a defense article without a license, and
Violating sanctions against Iran
Arrow Tech: Vermont Software Company
Rezakhah and Ajily have been charged for activity starting in around 2007, where they and a third hacker, Nima Golestaneh -who has already pleaded guilty-, hacked into computers in order to obtain software which they would then sell and redistribute in Iran and elsewhere outside the U.S. It appears that Golestaneh worked with Rezakhah, in supplying servers for Rezakhah to conduct illegal activities.
Ajily tasked Rezakhah and other hackers with stealing or unlawfully cracking particular pieces of software. Rezakhah then hacked into victim networks to steal the software they wanted & once they got the software, Ajily marketed and sold the software through various companies and associates to Iranian entities, including universities, military and government entities, specifically noting that such sales were in contravention of U.S. export controls and sanctions. The Universities and company included: Malek Ashtar Defense University, Tehran University, Sharif Technical University,
Khvajeh Nasir University, and Shiraz Electro Optic Industry. Rezakhah worked with Golestaneh, selling their "cracked" solution to the Arrow Tech software -they formed a company called "Dongle Labs", which sold a crack to the software that normally requires a hardware "dongle" for the software to work-. In addition to payment, Ajily received certificates of appreciation for his work from several of the
Iranian government and military entities. This implies that Ajily and Rezakhah could be working for the Iranian state?
In October 2012, Rezakhah hacked a Vermont-based engineering consulting and software design company -Arrow Tech-. Arrow Tech's primary product was PRODAS -Projectile Rocket Ordnance Design and Analysis System-; software that provides aerodynamics analysis and design for projectiles -from bullets to
GPS guided artillery shells-. This software is designated as a “defense article” on the U.S. Munitions List of the International Traffic in Arms Regulations -ITAR-, meaning it cannot be exported from the U.S. without a license from the U.S. Department of State. Ajily marketed the same software as one of the products he could offer to his Iranian clients.
What does this mean for the hackers?
The court issued arrest warrants for both defendants, which means that if either Rezakhah or Ajily wanted to travel outside of Iran, they would be arrested. This means they are now effectively prisoners inside Iran. No doubt, their activities have brought great shame upon Iran, themselves and their families. Such illegal activities may not help their career chances inside Iran either...
It would appear that the FBI is getting tough on Iranian hackers who may work for or have links to supporting the Iranian state in such illegal activities. The indictment can be read in full here.
