Sunday, October 15, 2017

UK Parliament Hacked By Iran



The United Kingdom (UK) Parliament appears to have been hacked by Iran. The cyber-attack on 23 June 2017 was a brute-force attack against 9000 email accounts including the UK Prime Minister Theresa May and in total between 30 to 90 members of Parliament.

The UK Times newspaper which broke the story, said that it was Iran’s first significant act of cyber-warfare on the UK and underlines its emergence as one of the world’s biggest cyber powers and that Iran is highly capable of such attacks.

The decision to publish the information now is interesting, coming after the US President Donald Trump's intent to withdraw from the JCPOA (Joint Comprehensive Plan of Action) against Iran, which could threaten to re-instate sanctions against Iran. The UK, France and Germany do not agree with the USA on the matter. Without complete agreement, perhaps Iran will not suffer from any new sanctions against it, as it appears that Iran has not violated any of the sanctions.


Iranian regime attack or amateur hackers?

The attack, which was suspected of being originally from Russia, may have been carried out by amateur hackers. At the time of the attack in June, it was said that the attackers could only break into the email accounts of members of Parliament (MPs) which had simple, easy to hack passwords. As a security response at the time, MPs were unable to access their accounts and had to communicate using SMS texts instead. It now seems, however, that the regime may perhaps have after all been behind the attack?

Reasons for the attack

The reasons for the attack are unknown (or at least the British Intelligence services are not saying), but could be:
  • Exploratory activities: Iran may have been looking for UK data that Iran could then force the UK to make concessions with, or that could compromise the interests of the UK
  • Iran may have been looking for a trade advantage
  • More worryingly is the possibility that the IRGC (Iranian Revolutionary Guards Corps) may be seeking to undermine Iran's anti-nuclear proliferation deal in order to get it scrapped; Iran could then restart its nuclear weapons research.
The IRGC are at odds with President Hassan Rouhani, who they see as being too pro-West and the religious leader of the regime, Ayatollah Khamenei is linked with the IRGC, so there is an ongoing rift between the religious and political leadership of Iran, partly due to Rouhani slashing the IRGC's budget to restrict their economic activities.



An uncertain future

In my previous article, it is possible that Iran may seek to increase cyber-attacks against the USA if the US walked away from the JCPOA. Now that President Trump appears to be doing that, even if Germany, UK and France don't agree, we may see an increase in the cyber war from Iran against the West.
By at No comments:
Labels: , , , , , , , , , , , , , , , ,

Monday, October 2, 2017

Iranian Hacking Threat to USA if Nuclear Deal Collapses



Since the signing of the nuclear deal between the USA and Iran in 2015 (the Joint Comprehensive Plan of Action (JCPOA)), Iranian cyber attacks against the USA have dropped off. 

The U.S. and six partners began discussions with Iran in 2013 to lift some economic sanctions to limit Iranian nuclear developments, and since then Iranian hackers have largely reduced attacks against the U.S., focusing instead on industrial espionage and hitting rival Middle Eastern countries. However, with the threat by the U.S. President Donald Trump to walk away from the deal, there are fears that Iran will re-start cyber-attacks against the USA.

The cyber-security research company FireEye have produced a report which has identified an Iranian-government group that FireEye have called APT33 (APT means Advanced Persistent Threat, indicating state-involvement). APT33 has previously attacked using spear-phishing techniques to target companies involved in the petrochemical industry and in military and commercial aviation. Could APT33 or similar be ready to attack the U.S. if Trump quits the JCPOA?

A Short History of Iranian Cyber-attacks
  • 2010: It was suspected that the U.S. and Israel attacked Iran with the Stuxnet malware, damaging Iranian nuclear control equipment at the Natanz uranium enrichment plant.
  • 2011/2013: In possible response to Stuxnet, Iran used DDoS (Distributed Denial of Service) Operation Ababil attacks against over 45 major financial institutions. Seven members of the Iranian ITSec Team were subsequently indicted by the FBI for over 176 days of DDoS attacks against the U.S. and also the attack against the Bowman Dam.
  • 2012: APT33 attack the Saudi Aramco oil company using the Shamoon malware, destroying thousands of computers in that company.
  • 2015: After JCPOA, large-scale Iranian attacks against the U.S. dropped off, although this may also have been due to Iran's concerns with Syria and Yemen. Also, APT33 continued espionage attacks against the U.S., South Korea and Saudi. In 2015, many Iranian hacking forums and use of hacker handles disappeared, probably because Iran realized that they were under greater scrutiny. 
  • 2016/2017: APT33 attacked Saudi and U.S. aerospace companies, along with attacks against a South Korean petrochemical company. In May 2017, APT33 attacked a Saudi organization and a South Korean company using malicious spear-phishing emails attempting to target victims with job vacancies for a Saudi petrochemical company.

The FireEye APT33 Report

FireEye state that APT33 used an Iranian developed web-shell developed by the hacker Solevisibile to craft the spear-phishing emails to targets. The webshell (called ALFASHELL, ALFA TEaM Shell v2-Fake Mail), has the default sender email address of solevisible@gmail.com. It is not known if Solevisible is linked with APT33 or not.

APT33 used domain masquerading as the following companies: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia, and Vinnell Arabia. APT33 used the domains to target victims with spear-phishing emails.

FireEye identified the hacker xman_1365_x as being the developer of a backdoor used in APT33 malware. It appears that xman_1365_x was also a manager in the Barnamenevis Iranian programming & software engineering forum, and registered accounts in the Iranian Shabgard and Ashiyane forums. The hacker xman_1365_x is also linked with the Nasr Institute, which is similar to Iran’s cyber army and controlled by the Iranian government. The Nasr Institute appears to be linked to the 2011-2013 DDoS attacks on the financial industry (Operation Ababil).

Further indications that Iran is behind APT33
  • A malware dropper (known as StoneDrill) used by APT33 has Farsi language artifacts in it.
  • APT33’s targeting of organizations involved in aerospace and energy is aligned with with nation-state interests (not those of cyber-criminal groups), implying that APT33 is probably government sponsored.
  • Iranian working hours; APT33 worked at the time zone close to 04:30 hours ahead of UTC, which heavily indicates Iran. APT33 largely operated on days that correspond to the Iranian working week (Saturday to Wednesday). Iran is one of few countries that subscribes to a Saturday to Wednesday working week.
  • APT33 used popular Iranian hacker tools and DNS servers used by other suspected Iranian hackers. The publicly available backdoors & tools utilized by APT33 (including NANOCORE, NETWIRE, and ALFA Shell) are available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups.
By at No comments:
Labels: , , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)