Since the signing of the nuclear deal between the USA and Iran in 2015 (the Joint Comprehensive Plan of Action (JCPOA)), Iranian cyber attacks against the USA have dropped off.
The U.S. and six partners began discussions with Iran in 2013 to lift some economic sanctions to limit Iranian nuclear developments, and since then Iranian hackers have largely reduced attacks against the U.S., focusing instead on industrial espionage and hitting rival Middle Eastern countries. However, with the threat by the U.S. President Donald Trump to walk away from the deal, there are fears that Iran will re-start cyber-attacks against the USA.
The cyber-security research company FireEye have produced a report which has identified an Iranian-government group that FireEye have called APT33 (APT means Advanced Persistent Threat, indicating state-involvement). APT33 has previously attacked using spear-phishing techniques to target companies involved in the petrochemical industry and in military and commercial aviation. Could APT33 or similar be ready to attack the U.S. if Trump quits the JCPOA?
A Short History of Iranian Cyber-attacks
- 2010: It was suspected that the U.S. and Israel attacked Iran with the Stuxnet malware, damaging Iranian nuclear control equipment at the Natanz uranium enrichment plant.
- 2011/2013: In possible response to Stuxnet, Iran used DDoS (Distributed Denial of Service) Operation Ababil attacks against over 45 major financial institutions. Seven members of the Iranian ITSec Team were subsequently indicted by the FBI for over 176 days of DDoS attacks against the U.S. and also the attack against the Bowman Dam.
- 2012: APT33 attack the Saudi Aramco oil company using the Shamoon malware, destroying thousands of computers in that company.
- 2015: After JCPOA, large-scale Iranian attacks against the U.S. dropped off, although this may also have been due to Iran's concerns with Syria and Yemen. Also, APT33 continued espionage attacks against the U.S., South Korea and Saudi. In 2015, many Iranian hacking forums and use of hacker handles disappeared, probably because Iran realized that they were under greater scrutiny.
- 2016/2017: APT33 attacked Saudi and U.S. aerospace companies, along with attacks against a South Korean petrochemical company. In May 2017, APT33 attacked a Saudi organization and a South Korean company using malicious spear-phishing emails attempting to target victims with job vacancies for a Saudi petrochemical company.
The FireEye APT33 Report
FireEye state that APT33 used an Iranian developed web-shell developed by the hacker Solevisibile to craft the spear-phishing emails to targets. The webshell (called ALFASHELL, ALFA TEaM Shell v2-Fake Mail), has the default sender email address of solevisible@gmail.com. It is not known if Solevisible is linked with APT33 or not.
APT33 used domain masquerading as the following companies: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia, and Vinnell Arabia. APT33 used the domains to target victims with spear-phishing emails.
FireEye identified the hacker xman_1365_x as being the developer of a backdoor used in APT33 malware. It appears that xman_1365_x was also a manager in the Barnamenevis Iranian programming & software engineering forum, and registered accounts in the Iranian Shabgard and Ashiyane forums. The hacker xman_1365_x is also linked with the Nasr Institute, which is similar to Iran’s cyber army and controlled by the Iranian government. The Nasr Institute appears to be linked to the 2011-2013 DDoS attacks on the financial industry (Operation Ababil).
Further indications that Iran is behind APT33
- A malware dropper (known as StoneDrill) used by APT33 has Farsi language artifacts in it.
- APT33’s targeting of organizations involved in aerospace and energy is aligned with with nation-state interests (not those of cyber-criminal groups), implying that APT33 is probably government sponsored.
- Iranian working hours; APT33 worked at the time zone close to 04:30 hours ahead of UTC, which heavily indicates Iran. APT33 largely operated on days that correspond to the Iranian working week (Saturday to Wednesday). Iran is one of few countries that subscribes to a Saturday to Wednesday working week.
- APT33 used popular Iranian hacker tools and DNS servers used by other suspected Iranian hackers. The publicly available backdoors & tools utilized by APT33 (including NANOCORE, NETWIRE, and ALFA Shell) are available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups.
No comments:
Post a Comment