Iran the New China as a Pervasive Nation-State Hacking Threat

  /     /     /  
Publicated : 22/11/2024   Category : security


Iran the New China as a Pervasive Nation-State Hacking Threat


Security investigations by incident responders at FireEyes Mandiant in 2017 found more prolific and sophisticated attacks out of Iran.



Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran.
Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups now are maintaining and keeping a foothold in victim organizations for months and sometimes years, demonstrating their sophistication, according to Mandiants newly published M Trends Report on its incident investigations in 2017.
In a way, it felt like Iran was the new China, notes Charles Carmakal, a vice president at Mandiant. There were so many Chinese threat actors in operations [in previous years], it felt like everyone had at least one Chinese actor attacking them, he notes.
This time, it was Iran, which was one of the most prolific and pervasive nation states last year, he says. In 2017, it felt like Iran was all over the place.
Security researchers and incident responders from various organizations have been well aware of Irans increasing sophistication and expansion of its cyber operations. Its come a long way from its unsophisticated yet effective distributed-denial-of-service (DDoS) hacktivist-style attack MO that came to a head in late 2011 through 2013, when a DDoS campaign crippled US bank networks. The DDoS campaign hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.
When I first started tracking Iran groups in 2012, it felt like we were dealing with a bunch of amateurs with no real technical capability. They could have been confused with Anonymous … their weapon of choice was DDoS, Carmakal says. Today, they’ve figured out how to organize, fund, and develop tools and are very successful in their offensive operations.
Adam Meyers, vice president of intelligence at CrowdStrike, says its not so much that Iran is employing more sophisticated cyberattack weapons: they are just more savvy in how they employ them. Its the sophistication around their tradecraft, methodologies, and operations, he says. Their weapons are not that much more advanced. Its the way they use them [now].
Iranian attackers in 2012 deployed the data-destruction Shamoon attacks on two Middle East targets including Saudi Aramco, which was the first signs of a more aggressive and evolving Iranian threat, he says. Today, the geopolitical cloud of questions over whether the US will continue the Iranian nuclear deal or reinstitute sanctions against Iran could ultimately elicit more destructive attacks against US financial organizations if things dont go Irans way. If they want to hurt us, they want to go after financial institutions, Meyers says.
Mandiant now considers Iran nation-state groups on par with other nation-states in terms of the pace and scale of their attacks, including employing Web server attacks that gather multiple victims. Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals, according to
the M Trends Report
.
Carmakal says its known that some Iranian groups have access to Western organizations, so the US could be next in line as a target of a destructive-type attack from Iran. 
Thats something that Tom Kellermann, chief cybersecurity officer at Carbon Black, is predicting to occur in the wake of the Trump administrations tough rhetoric and possible policy changes against Iran. Iran and North Korea never had true A teams, he says, but Irans operations have evolved and could well be turned on US targets in the near-term.
Irans destructive bent is where its very different from Chinese APTs, which typically focus on cyber espionage and stealing intellectual property.
APT35
Mandiant investigated a security incident targeting an energy company early last year that illustrated Irans more strategic cyber espionage capabilities. APT35 – aka Newscaster and newly added to Mandiants list of APT groups – was the culprit. APT35 typically gathers intel from US and Middle Eastern military, as well as diplomatic, government, media, energy, defense industrial base, engineering, business services, and telecommunications sector targets.
In the energy company attack, APT35 infected the target via a spear phishing email with a link to a phony resume that was hosted on a compromised, but legitimate website. The resume was infected with the PUPYRAT backdoor, and the attackers dropped a custom backdoor called BROKEYOLK onto the compromised system that allowed the attackers to use the victims VPN credentials to log into their company systems. In all, APT35 stole credentials from 500 systems in the victims network.
The hackers also used Microsoft Exchange Client Access cmdlets to alter mailbox permissions in the targets email system and remain under the radar in the organizations Outlook Web Access portal. Mandiant observed that the attacker had granted compromised accounts read access to hundreds of mailboxes with the Add-MailboxPermission cmdlet, Mandiant said in its report.
That was all APT35 needed to read emails and steal data on Middle East organizations that they later targeted in data-destruction attacks, according to Mandiant.
Like Chinese [APTs], they stole gigabytes of data, Carmakal says. It wasnt clear why they stole some of the information, however, he says.
In addition to APT35, Mandiant also named two other Iranian threat groups officially last year, APT33 and APT34, plus one out of Vietnam, APT32 aka Ocean Lotus.
Whack-A-Mole
Another telling trend from Mandiants IR cases: nearly half of its clients with at least one high-priority attack discovery were hit again within a year. Some 56% of all managed detection and response customers whose IR cases Mandiant investigated were hit again by the same threat group or another group going after the same data or goals.
In our experience, a fair amount of organizations who are targeted and compromised will continue to be, Carmakal says. Nation-state attackers, for instance, dont give up once theyve been kicked out of a targets network. They want access to it again, so they update and enhance their attack methods over and over, he says.
Mandiant often finds multiple hacking teams inside a targeted organization. And it seems most are unaware that they are competing with one another for access and data in the target. Its rare for them to be looking for evidence of other threat actors. We dont think they knew the others were in there too, he says. They might know they have competition, however.
And in a bit of positive news, Mandiant found in its 2017 IR engagements that victim organizations are getting better at detecting attacks on their own, rather than relying on third parties to alert them. The median time for internal detection was 57.5 days for organizations around the world, down from 80 days in 2016. And 62% of attacks last year were detected internally, up from 53% in 2016.
This is important because our data shows that incidents identified internally tend to have a much shorter dwell time, the report says.
On the flip side: worldwide, the median dwell time from compromise to discovery went up to 101 days, from 99 in 2016.
Related Content:
Destructive and False Flag Cyberattacks to Escalate
DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others
Nation-State Hackers Adopt Russian Maskirovka Strategy
Chafer Uses Open Source Tools to Target Irans Enemies
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda 
here
. Register with Promo Code DR200 and save $200.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Iran the New China as a Pervasive Nation-State Hacking Threat