Archive for the ‘Iran’ Category

“We need to up our game”—DHS cybersecurity director on Iran and ransomware

June 28th, 2019
Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, at a recent Senate hearing. Krebs issued a warning earlier this week on a surge in Iranian state-sponsored "malicious cyber activity."

Enlarge / Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, at a recent Senate hearing. Krebs issued a warning earlier this week on a surge in Iranian state-sponsored "malicious cyber activity." (credit: Tom Williams/CQ Roll Call via Getty Images)

Last weekend, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs issued a statement warning about elevated malicious Internet activity from state-sponsored actors in Iran. The notice corresponded to new warnings from private security research firms, including Recorded Future, of a surge in preparatory activity over the past three months by APT33, a threat group connected to the Iranian government and Iranian Revolutionary Guard Corps (IRGC, Iran's military).

In an interview with Ars, Krebs explained that the reason for the warning went beyond that "regional activity"—attacks on Saudi Arabian companies and other organizations in the Persian Gulf and South Asia.

"Over the course of the last couple of weeks, and in particular last week I'd say, [the activity] became specifically directed," he said. A "sense of the community"—reports from US intelligence and other agencies, as well as private sector cybersecurity vendors—showed a significant leap in spear-phishing attacks connected to infrastructure associated with APT33 against targets in the US over the past week, Krebs said. "So you combine that increase in activity with a historic intentionality and demonstrated ability, after previous destructive campaigns, and it was time to make a statement and say, 'Hey look, everybody, this is heating up. And politically it is also heating up... We need to step up our game.'"

Read 13 remaining paragraphs | Comments

Posted in APT 33, APT33, Biz & IT, CISA, Departrment of Homeland Security, DHS, election security, Iran, Policy, ransomware | Comments (0)

Iranian state hackers reload their domains, release off-the-shelf RAT malware

June 26th, 2019
The flag of Iran.

Enlarge / Iran's hacking groups are scaling up, hitting Saudi companies and other organizations, according to a Recorded Future report. (credit: Getty Images)

A new report from the threat research firm Recorded Future finds that activity from APT33—the Iranian "threat group" previously tied to the Shamoon wiper attack and other Iranian cyber-espionage and destructive malware attacks—has risen dramatically, with the organization creating over 1,200 domains for use in controlling and spreading malware. The research, conducted by Recorded Future's Insikt Group threat intelligence service, found with some confidence that individuals tied to APT33 (also known as "Elfin") had launched attacks on multiple Saudi companies, including two healthcare organizations—as well as an Indian media company and a "delegation from a diplomatic institution."

The majority of these attacks have involved "commodity" malware—well-known remote access tools (RATs).  According to the report:

APT33, or a closely aligned threat actor, continues to control C2 domains in bulk. Over 1,200 domains have been in use since March 28, 2019, alone. Seven hundred twenty-eight of these were identified communicating with infected hosts. Five hundred seventy-five of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections, a RAT not previously associated with APT33 activity. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.

After Symantec revealed much of the infrastructure used by APT33 in March, the Iranian group parked a majority of its existing domains and registered over 1,200 new ones, with only a few remaining active. In addition to the collection of RATs, about a quarter of the domains are tied to unknown activity—and a half-percent are connected to StoneDrill, the upgraded Shamoon wiper first seen in 2017.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, Iran, Iran Revolutionary Guard Corps, remote access tool, Remote Access Trojans, StoneDrill | Comments (0)

DHS cyber director warns of surge in Iranian “wiper” hack attacks

June 24th, 2019
An effective wiper of sorts.

Enlarge / An effective wiper of sorts. (credit: Getty Images)

With tensions between the US and Iran on the rise following the downing of a US military drone last week, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is warning that Iran is elevating its efforts to do damage to US interests through destructive malware attacks on industrial and government networks.

In a statement issued on Saturday, June 22, CISA Director Christopher C. Krebs said:

CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. Iranian regime actors and proxies are increasingly using destructive "wiper" attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.

Krebs urged businesses and agencies to take steps to improve their security hygiene, including implementing multi-factor authentication for user credentials to prevent brute-force attempts to connect to exposed network and cloud applications.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, flame, Iran, Iranian Cyber Army, Policy, shamoon, stuxnet | Comments (0)

A mystery agent is doxing Iran’s hackers and dumping their code

April 21st, 2019
Stylized photo of desktop computer.

Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images)

Nearly three years after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open Web, Iran's hackers are getting their own taste of that unnerving experience. For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping its secret data, tools, and even identities onto a public Telegram channel—and the leak shows no signs of stopping.

Since March 25, a Telegram channel called Read My Lips or Lab Dookhtegan—which translates from Farsi as "sewn lips"—has been systematically spilling the secrets of a hacker group known as APT34 or OilRig, which researchers have long believed to be working in service of the Iranian government. So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group.

"We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran's neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," read the original message posted to Telegram by the hackers in late March. "We hope that other Iranian citizens will act for exposing this regime's real ugly face!"

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, hacking, Iran | Comments (0)

UAE buys its way toward supremacy in Gulf cyberwar, using US and Israeli experts

February 1st, 2019
President Donald Trump welcomes Crown Prince Shaikh Mohammad bin Zayed Al Nahyan of Abu Dhabi in the Oval Office of the White House on May 15, 2017 in Washington, DC.

Enlarge / President Donald Trump welcomes Crown Prince Shaikh Mohammad bin Zayed Al Nahyan of Abu Dhabi in the Oval Office of the White House on May 15, 2017 in Washington, DC. (credit: Pool/Getty Images)

On January 30, Reuters released two investigative reports on hacking activities of the United Arab Emirates' National Electronic Security Authority (NESA) targeting political leaders and activists, suspected terrorists, and the governments of Qatar, Turkey, and Iran. The report is the latest evidence of an ongoing cyberwar by the UAE and its ally Saudi Arabia against Qatar, and the UAE has been enlisting US and Israeli experts to help. Reuters' sources also said that the project targeted American citizens for surveillance.

Citing documents reviewed by Reuters and eight individuals who claimed to have worked as US contractors supporting the operation (referred to as Project Raven), the report claims that Baltimore-based CyberPoint and the UAE-based firm DarkMatter—ostensibly hired to help NESA build a threat monitoring and defensive capability similar to the National Security Agency/Central Security Service National Threat Operations Center (NTOC)—also had a secret task of providing NESA with an offensive cyber capability. Some of the US citizens employed by CyberPoint and later by DarkMatter were former NSA analysts who worked at NTOC or, in some cases, NSA's Tailored Access Operations unit.

If US contractors targeted American citizens for a foreign government by using electronic surveillance, that would be in violation of US law—and potentially fatal for companies such as CyberPoint, which has done work for the US government at the Patent and Trademark Office, DARPA, and other agencies. Ars attempted to reach CyberPoint executives for comment, but we received no response before publication. However, Ars was able to reach Daniel Wolfford, a former NSA analyst, former director of threat intelligence at DarkMatter, and now co-founder of a Dubai-based cybersecurity and cryptocurrency firm called Advanced Analysis. Wolfford strongly denied the accusation.

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, CyberPoint, DarkMatter, Finfisher, Iran, NSO Group, Policy, Qatar, Saudi Arabia, United Arab Emirates | Comments (0)

Facebook nukes hundreds of “inauthentic” accounts “tied to Iran”

January 31st, 2019
The Facebook logo is displayed at the 2018 CeBIT technology trade fair on June 12, 2018, in Hanover, Germany.

Enlarge / The Facebook logo is displayed at the 2018 CeBIT technology trade fair on June 12, 2018, in Hanover, Germany. (credit: Alexander Koerner/Getty Images)

Facebook said Thursday that it had removed 783 pages, groups, and accounts for "engaging in coordinated inauthentic behavior tied to Iran."

According to the social media giant, some of the accounts date as far back as 2010.

"This activity was directed from Iran, in some cases repurposing Iranian state media content, and engaged in coordinated inauthentic behavior targeting people across the world, although more heavily in the Middle East and South Asia," Nathaniel Gleicher, the company's head of cybersecurity policy, wrote.

Read 6 remaining paragraphs | Comments

Posted in Facebook, Iran, Policy | Comments (0)

Iranians indicted in Atlanta city government ransomware attack

December 5th, 2018
The message posted to social media by the city of Atlanta in the wake of an apparent ransomware attack.

Enlarge / The message posted to social media by the city of Atlanta in the wake of an apparent ransomware attack. (credit: City of Atlanta)

The US Attorney's Office for the District of Northern Georgia announced today that a federal grand jury had returned indictments against two Iranian nationals charged with executing the March 2018 ransomware attack that paralyzed Atlanta city government services for over a week. Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using the Samsam ransomware to encrypt files on 3,789 City of Atlanta computers, including servers and workstations, in an attempt to extort Bitcoin from Atlanta officials.

Details leaked by City of Atlanta employees during the ransomware attack, including screenshots of the demand message posted on city computers, indicated that Samsam-based malware was used. A Samsam variant was used in a number of ransomware attacks on hospitals in 2016, with attackers using vulnerable Java Web services to gain entry in several cases. In more recent attacks, including one on the health industry companies Hancock Health and Allscripts, other methods were used to gain access, including Remote Desktop Protocol hacks that gave the attackers direct access to Windows systems on the victims' networks.

The Atlanta attack was not a targeted state-sponsored attack. The attackers likely chose Atlanta based on a vulnerability scan. According to the indictment, the attackers offered the city the option of paying six Bitcoin (currently the equivalent of $22,500) to get keys to unlock all the affected systems or 0.8 Bitcoin (about $3,000) for individual systems. "The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransom and supplied a web domain that was only accessible using a Tor browser," a Department of Justice spokesperson said in a statement. "The note suggested that the City of Atlanta could download the decryption key from that website." But within days of the attack, the Tor page became unreachable, and the City of Atlanta did not pay the ransom.

Read 1 remaining paragraphs | Comments

Posted in Atlanta, Biz & IT, Iran, Policy, ransomware | Comments (0)

Stuxnet 2.0? Iran claims Israel launched new cyber attacks

November 5th, 2018
A serious man sits in front of a microphone on a dais.

Enlarge / Iranian President Hassan Rouhani's phone calls were apparently intercepted in what Iran claims was one of a number of recent cyber attacks by Israel. (credit: Anadolu Agency / Getty Images)

Last week, Iran’s chief of civil defense claimed that the Iranian government had fought off Israeli attempts to infect computer systems with what he described as a new version of Stuxnet—the malware reportedly developed jointly by the US and Israel that targeted Iran’s uranium-enrichment program. Gholamreza Jalali, chief of the National Passive Defense Organization (NPDO), told Iran's IRNA news service, “Recently, we discovered a new generation of Stuxnet which consisted of several parts... and was trying to enter our systems.”

On November 5, Iran Telecommunications Minister Mohammad-Javad Azari Jahromi accused Israel of being behind the attack, and he said that the malware was intended to “harm the country’s communication infrastructures.” Jahromi praised “technical teams” for shutting down the attack, saying that the attackers “returned empty-handed.” A report from Iran’s Tasnim news agency quoted Deputy Telecommunications Minister Hamid Fattahi as stating that more details of the cyber attacks would be made public soon.

Jahromi said that Iran would sue Israel over the attack through the International Court of Justice. The Iranian government has also said it would sue the US in the ICJ over the reinstatement of sanctions. Israel has remained silent regarding the accusations.

Read 2 remaining paragraphs | Comments

Posted in Biz & IT, Iran, Israel, Policy, stuxnet | Comments (0)

How did Iran find CIA spies? They Googled it

November 2nd, 2018
When he left the CIA in 2011 to become secretary of defense, Leon Panetta (right) was leaving in the midst of a huge crisis for the CIA, according to a Yahoo News report: a breach in communications had exposed dozens of CIA assets in Iran and China.

Enlarge / When he left the CIA in 2011 to become secretary of defense, Leon Panetta (right) was leaving in the midst of a huge crisis for the CIA, according to a Yahoo News report: a breach in communications had exposed dozens of CIA assets in Iran and China. (credit: Central Intelligence Agency)

A covert "transitional" channel used for communicating with sources that Central Intelligence Agency handlers couldn't reach directly was exposed and infiltrated by Iranian intelligence in 2009. The breakdown in operational security—which apparently relied heavily on security through obscurity—was the result of Iranian intelligence officials simply using Google to locate the websites used as the communications channel after a double-agent exposed the method used by the CIA, according to a report from Yahoo News' Zach Dorfman and Jenna McLaughlin.

Once a double agent presented information about a website the agent had been directed to in order to communicate with the CIA, Iranian intelligence apparently used aspects of the URL to search for other, similar websites. Iranian officials were reportedly able to rapidly identify a number of other such sites, which were set up as temporary communications systems for new, unvetted sources by the CIA. As a result, Iran's intelligence was able to quickly identify the Iranians communicating through those sites. The breach led to the roundup in 2011 of 30 people identified by Iran as CIA spies.

Further digging into these compromised sites may have exposed the identity of CIA personnel as well. During the same timeframe, Iranian intelligence officials were also directly approaching US CIA officers, trying to recruit them to be double agents.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, china, CIA, data breach, Iran, Policy | Comments (0)

Facebook yanks content tied to Iranian effort due to “inauthentic behavior”

October 26th, 2018

Today, Facebook took down 30 pages, 33 Facebook accounts, three Facebook groups, and 16 Instagram accounts that Facebook's head of Cybersecurity Policy Nathaniel Gleicher said were tied to an influence campaign by a group of actors in Iran.

"It’s still early days, and while we have found no ties to the Iranian government, we can’t say for sure who is responsible," Gleicher said in a call with press this afternoon. He added that Facebook found some overlap in the accounts' activity with a group of Iran-linked accounts taken down by the company in August. "Given the elections, we took action as soon as we’d completed our initial investigation and shared the information with US and UK government officials, US law enforcement, Congress, other technology companies, and the Atlantic Council’s Digital Forensic Research Lab," Gleicher said. He added that Facebook shared information not just with federal officials but with state and local election officials as well to keep them advised of any emerging threat.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, Facebook, influence campaign, Iran, midterm elections, Policy, Twitter | Comments (0)