Hack attacks spark Iranian cyber threat concerns
Experts are sounding the alarm about new cyber activity from Iran, as hackers become more emboldened and skilled at carrying out surveillance operations and other attacks outside the country’s borders.
In recent years, Iran-linked hacker groups have showed signs of growing sophistication, expanding their cyber tool kits and stepping up operations against new international targets, including targets in the Middle East and the United States.
Iran’s growing ambitions, coupled with the geopolitical climate, have given some warning of the future threat.
“There’s definitely a lot of fear by the intelligence agencies and lots of security companies about what Iran is going to do."
Cybersecurity professionals have detected Iranian hackers breaking into networks of defense contractors, aviation firms, oil and gas companies, technology companies and telecommunications providers.
In February, cybersecurity firm Symantec revealed that the Iran-based hacking group dubbed “Chafer” had expanded spy operations to new targets across numerous sectors in Israel, the United Emirates, Saudi Arabia, and Turkey, and successfully compromised a major telecommunications provider in the Middle East.
The group also began using several new hacking tools over the past year, including leveraging the “EternalBlue” exploit reportedly stolen from the National Security Agency (NSA) by another hacker group.
While Symantec has no definitive evidence linking “Chafer” to the Iranian government, Vikram Thakur, the firm’s security response technical director, said the group’s targets — which include companies in the aviation sector — suggest a government motivation because the information would be more valuable in the public versus private sector.
“What we’ve noticed of the overall picture that the quantity of attacks that are originating from that geography are much, much higher than seven or eight years ago,” Thakur said. “In the coming years, we’d expect Chafer as well as other cyber actors originating from Iran to continue increasing their volumes of attack as well as their list of victims.”
In many cases, Iran-linked cyber activity is limited to intelligence operations. But some groups have also shown signs of destructive capabilities.
Last September, FireEye identified a new Iranian hacking group that’s been dubbed “Advanced Persistent Threat 33,” or APT 33, that had been quietly conducting spying operations since at least 2013 against organizations in the U.S., Saudi Arabia, and South Korea. The group has a particular eye toward the military, commercial aviation and energy sectors.
FireEye found evidence that APT 33 is capable of carrying out destructive attacks, linking it to a destructive “wiper” malware that can delete files.
Iran has a long history of malicious activity in cyberspace. U.S. officials suspected Iran in the 2012 cyber assault against Saudi Arabian oil giant Saudi Aramco, in which hackers used destructive malware called “Shamoon” to wipe computer networks of data and replace the files with an image of a burning U.S. flag.
A new variant of the malware resurfaced in late 2016, infiltrating other Saudi Arabian computer systems. FireEye traced the 2016 activity back to Iran, though did not attribute it to a specific threat group.
The Justice Department has also indicted seven Iranians believed to have been working at the behest of Tehran’s government for conducting distributed-denial-of-service attacks on U.S. financial institutions between 2011 and 2013, as tensions ran high over sanctions on Iran’s nuclear program.
Much of the attention in Washington has lately focused on the cyber threat from Russia, following Moscow’s interference in the 2016 presidential election.Read More...