Iran Intensifies Its Cyberattack Activity

  /     /     /  
Publicated : 22/11/2024   Category : security


Iran Intensifies Its Cyberattack Activity


Middle East targets – namely Saudi Arabia – are feeling the brunt of the attacks, but experts anticipate Iran will double down on hacking US targets.



RSA CONFERENCE – San Francisco – As all eyes are on Russias coordinated hacking and propaganda efforts aimed at influencing elections in the US and some European nations, state-sponsored attackers out of Iran are quietly cranking up their cyber spying and data-destruction attacks.  
Most of Irans targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but some security experts warn that the US indeed could be in the line of fire given the increasingly contentious geopolitical climate between the two nations.
Former national security advisor Michael Flynns recent declaration that the US had put Iran on notice and subsequent anti-US protests and sentiment in Iran are the perfect recipe for an increase in cyber espionage and cyberattacks meant to destabilize or protest US policies on Iran, according to Adam Meyers, vice president of intelligence at CrowdStrike.
Meyers says Irans nation-state hacking machine is more prolific than ever lately. Whats new is the level of activity weve seen, with dozens of targets in Saudi Arabia over the past two months, Meyers said in an interview here.
One of the things were tracking is if things escalate between the US and Iran, then we expect attacks will be likely in the financial sector in the US in response, he said.
Irans cyberattack operations also have matured and become more disciplined, he says. They are showing more mature capabilities and organization, Meyers explained. In early 2010 to 2014, they were very open, disorganized, [as] small companies doing training and pen-testing and exploit development. Now theyve aligned themselves into proper businesses working on attack campaigns, he said. We dont see them talking [about their cyber activities] as openly as before. Thats notable.
In 2012, hackers believed to be out of Iran launched the devastating Shamoon data-wiping attacks on Middle East petroleum giant Saudi Aramco, damaging or wiping the hard drives of some 25,000 computers. The following year, US banks suffered a massive wave of distributed denial-of-service (DDoS) attacks that US officials blamed on Iran.
Then Shamoon reappeared in November of last year and again in January of this year, with a slightly new version of the destructive malware, hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.
IBMs X-Force incident response services team, IRIS  (Incident Response and Intelligence Services), here this week, revealed
its findings
on just how the new Shamoon malware was unleashed on its victims, something that had been mostly speculated on for some time, given the nature of data-wiping attacks that leave little forensic evidence behind.
The latest Shamoon attacks began with a spear phishing email sent to employees at the organizations being targeted in the attacks. With those emails came a Microsoft Word document rigged with a  malicious macro that when enabled by the victim, then infected his or her machine. That generates PowerShell and allows remote command-line control of the machine, allowing the attackers to add other malware, or gain privileged access to other systems on the victims network.
Once the attackers have enough intel to find juicy targets on the network, they deploy Shamoon, which overwrites the hard drives and disables the affected computers.
Wendi Whitmore, global lead of IBM X-Force IRIS, said her team has mostly seen the new Shamoon campaign targeting Middle East organizations. Right now, the biggest threat is really to the Middle East region, from what weve seen, she said in an interview here. IBM did not determine the initial attack vector of the 2012 Shamoon campaigns, she said.
Whitmore said she expects more Shamoon and destructive-type attacks to come. Especially with how dynamic the political environment is now, she said.
Meanwhile, researchers from Palo Alto Networks Unit 42 team have spotted other targeted attacks on government, energy, and technology organizations mainly in Saudi Arabia or those that do business there. PAN calls the attack group
Magic Hound,
noting that it may be somehow connected to the Iranian Rocket Kitten cyber espionage gang.
Unit 42 stopped short of tying these attacks to the Shamoon group. Rocket Kitten is best known for keylogging and other traditional cyber spying. Like the second Shamoon attacks, Magic Hound relies on malicious macros in Microsoft Office documents that call Windows PowerShell to wrest control of the victim machines.
The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance, according to Unit 42s research. The two legitimate websites we were able to identify were owned by organizations in the government and energy sectors. Based on the existence of these malicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some fashion.
The initial attack vector was likely the old standby, spear phishing, according to the researchers.
Related Content:
Saudi Arabia Issues Alert On Shamoon 2
Inside The Aftermath Of The Saudi Aramco Breach
Iran Counters US Hacking Indictments Of 7 Iranians
The Data-Annihilation Attack Is Back

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Iran Intensifies Its Cyberattack Activity