Archive for the ‘Iran’ Category

Iranians indicted in Atlanta city government ransomware attack

December 5th, 2018
The message posted to social media by the city of Atlanta in the wake of an apparent ransomware attack.

Enlarge / The message posted to social media by the city of Atlanta in the wake of an apparent ransomware attack. (credit: City of Atlanta)

The US Attorney's Office for the District of Northern Georgia announced today that a federal grand jury had returned indictments against two Iranian nationals charged with executing the March 2018 ransomware attack that paralyzed Atlanta city government services for over a week. Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using the Samsam ransomware to encrypt files on 3,789 City of Atlanta computers, including servers and workstations, in an attempt to extort Bitcoin from Atlanta officials.

Details leaked by City of Atlanta employees during the ransomware attack, including screenshots of the demand message posted on city computers, indicated that Samsam-based malware was used. A Samsam variant was used in a number of ransomware attacks on hospitals in 2016, with attackers using vulnerable Java Web services to gain entry in several cases. In more recent attacks, including one on the health industry companies Hancock Health and Allscripts, other methods were used to gain access, including Remote Desktop Protocol hacks that gave the attackers direct access to Windows systems on the victims' networks.

The Atlanta attack was not a targeted state-sponsored attack. The attackers likely chose Atlanta based on a vulnerability scan. According to the indictment, the attackers offered the city the option of paying six Bitcoin (currently the equivalent of $22,500) to get keys to unlock all the affected systems or 0.8 Bitcoin (about $3,000) for individual systems. "The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransom and supplied a web domain that was only accessible using a Tor browser," a Department of Justice spokesperson said in a statement. "The note suggested that the City of Atlanta could download the decryption key from that website." But within days of the attack, the Tor page became unreachable, and the City of Atlanta did not pay the ransom.

Read 1 remaining paragraphs | Comments

Posted in Atlanta, Biz & IT, Iran, Policy, ransomware | Comments (0)

Stuxnet 2.0? Iran claims Israel launched new cyber attacks

November 5th, 2018
A serious man sits in front of a microphone on a dais.

Enlarge / Iranian President Hassan Rouhani's phone calls were apparently intercepted in what Iran claims was one of a number of recent cyber attacks by Israel. (credit: Anadolu Agency / Getty Images)

Last week, Iran’s chief of civil defense claimed that the Iranian government had fought off Israeli attempts to infect computer systems with what he described as a new version of Stuxnet—the malware reportedly developed jointly by the US and Israel that targeted Iran’s uranium-enrichment program. Gholamreza Jalali, chief of the National Passive Defense Organization (NPDO), told Iran's IRNA news service, “Recently, we discovered a new generation of Stuxnet which consisted of several parts... and was trying to enter our systems.”

On November 5, Iran Telecommunications Minister Mohammad-Javad Azari Jahromi accused Israel of being behind the attack, and he said that the malware was intended to “harm the country’s communication infrastructures.” Jahromi praised “technical teams” for shutting down the attack, saying that the attackers “returned empty-handed.” A report from Iran’s Tasnim news agency quoted Deputy Telecommunications Minister Hamid Fattahi as stating that more details of the cyber attacks would be made public soon.

Jahromi said that Iran would sue Israel over the attack through the International Court of Justice. The Iranian government has also said it would sue the US in the ICJ over the reinstatement of sanctions. Israel has remained silent regarding the accusations.

Read 2 remaining paragraphs | Comments

Posted in Biz & IT, Iran, Israel, Policy, stuxnet | Comments (0)

How did Iran find CIA spies? They Googled it

November 2nd, 2018
When he left the CIA in 2011 to become secretary of defense, Leon Panetta (right) was leaving in the midst of a huge crisis for the CIA, according to a Yahoo News report: a breach in communications had exposed dozens of CIA assets in Iran and China.

Enlarge / When he left the CIA in 2011 to become secretary of defense, Leon Panetta (right) was leaving in the midst of a huge crisis for the CIA, according to a Yahoo News report: a breach in communications had exposed dozens of CIA assets in Iran and China. (credit: Central Intelligence Agency)

A covert "transitional" channel used for communicating with sources that Central Intelligence Agency handlers couldn't reach directly was exposed and infiltrated by Iranian intelligence in 2009. The breakdown in operational security—which apparently relied heavily on security through obscurity—was the result of Iranian intelligence officials simply using Google to locate the websites used as the communications channel after a double-agent exposed the method used by the CIA, according to a report from Yahoo News' Zach Dorfman and Jenna McLaughlin.

Once a double agent presented information about a website the agent had been directed to in order to communicate with the CIA, Iranian intelligence apparently used aspects of the URL to search for other, similar websites. Iranian officials were reportedly able to rapidly identify a number of other such sites, which were set up as temporary communications systems for new, unvetted sources by the CIA. As a result, Iran's intelligence was able to quickly identify the Iranians communicating through those sites. The breach led to the roundup in 2011 of 30 people identified by Iran as CIA spies.

Further digging into these compromised sites may have exposed the identity of CIA personnel as well. During the same timeframe, Iranian intelligence officials were also directly approaching US CIA officers, trying to recruit them to be double agents.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, china, CIA, data breach, Iran, Policy | Comments (0)

Facebook yanks content tied to Iranian effort due to “inauthentic behavior”

October 26th, 2018

Today, Facebook took down 30 pages, 33 Facebook accounts, three Facebook groups, and 16 Instagram accounts that Facebook's head of Cybersecurity Policy Nathaniel Gleicher said were tied to an influence campaign by a group of actors in Iran.

"It’s still early days, and while we have found no ties to the Iranian government, we can’t say for sure who is responsible," Gleicher said in a call with press this afternoon. He added that Facebook found some overlap in the accounts' activity with a group of Iran-linked accounts taken down by the company in August. "Given the elections, we took action as soon as we’d completed our initial investigation and shared the information with US and UK government officials, US law enforcement, Congress, other technology companies, and the Atlantic Council’s Digital Forensic Research Lab," Gleicher said. He added that Facebook shared information not just with federal officials but with state and local election officials as well to keep them advised of any emerging threat.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, Facebook, influence campaign, Iran, midterm elections, Policy, Twitter | Comments (0)