Iran is building up its cyber capabilities and the emergence of a group of hackers, dubbed APT33, has given rise to concerns the nation's cyberwarfare units are looking to launch destructive attacks on critical infrastructure, energy and military bodies.
The APT33 group has been operational since 2013 and focused on the aerospace industry, successfully hacking firms with aviation in the U.S. and Saudi Arabia in the last year, researchers at cybersecurity company FireEye warned Wednesday.
Petrochemical firms in South Korea and Saudi Arabia were also targeted, according to the firm's report. As part of its modus operandi, APT33 has sent phishing emails to its targets, typically convincing job adverts, much like other Iranian groups, including the most active of all, dubbed OilRig. The emails contained a malicious link that, once clicked, launched a backdoor on the target's PC.
This was no half-baked job, FireEye noted: the phishing emails were sent en masse throughout 2016, the level of dedication to facsimiles of real ads evident in spoofs of companies' equal opportunity statements.
The hacker crew also registered domains of companies working in targets' regions, ostensibly to make their spear phishing emails appear legitimate. Those domains included references to Boeing and Northrop Grumman Aviation Arabia.
Appetite for destruction
Of particular concern to John Hultquist, head of cyberespionage research at FireEye, is that APT33 is building up to more destructive attacks. His team found evidence that DropShot - one of the group's malware used to launch further hacker tools on target systems - was linked to a destructive tool called ShapeShift.
ShapeShift (also known as StoneDrill) was previously found by Russian cybersecurity firm Kaspersky to be an updated version of the Shamoon worm, which wiped computers at major businesses, most notoriously taking out 30,000 systems at oil giant Saudi Aramco in 2012. Whilst FireEye identified multiple DropShot samples that tried to install ShapeShift, it hadn't amassed evidence of successful attacks, nor does it believe APT33 is part of the same specific group as the Shamoon attackers.
But Hultquist fears Iran could hit the killswitch inside infected organizations just as happened with Saudi Aramco. "When they get more aggressive or want to do more destructive attacks, they tend to go for critical infrastructure," he told. "Iran has definitely focused heavily on disruption and destruction in the energy sector. That's why we believe they're not there for information gathering... It's very likely they are pursuing the same direction as we've seen the Russians use."
Russian government hackers have been blamed for energy blackouts in Ukraine, whilst cybersecurity experts recently rang alarm bells over a recently-developed cyberespionage tool called CrashOverride. It's feared the malware, capable of causing similarly-catastrophic attacks on energy firms, could be turned on America's power resources.
Rob M. Lee, CEO of industrial cybersecurity firm Dragos, says his firm has also been tracking activity around the Shamoon attackers. "It's definitely very aggressive.... but it's messy," said Lee, a former NSA intelligence analyst. "It's effective but you're not looking at CrashOverride craftsmanship... [they're] going to get mission success but it's not going to be pretty."
Joe Slowik, senior threat analyst at Dragos, said the group was expanding out of its normal operations in the Middle East, with signs its malware has reached as far as South Korea, Pakistan, Israel and the U.K. "We have an actor or agent who has previously taken no concern in taking down infrastructure," he said, referring to the Saudi Aramco attack. "If they've been willing to go that far once… that's what makes me concerned." Over the last three to four months, the hackers have also shown signs of targeting more government entities, he added.
Lee noted that there was no immediate threat to the U.S., however, and there was no indication the hackers were targeting the industrial control systems that actually manage power access. But, as Slowik noted, the hackers who took down Ukraine's power systems in 2015 were using Windows PC malware, BlackEnergy, to find a way to cause a blackout. And that's the main worry about the latest Iranian-linked hacks.
A 'shadowy' contractor
FireEye also believes it has identified an Iranian contractor linked to APT33. The clue came in a name - xman_1365_x - left in the comments of the hackers' backdoor, named TurnedUp. Hultquist said his team found xman_1365_x was linked to the Nasr Institute, an organization closely linked to Iran's cyberwarfare operations. The Nasr Institute has also been connected to a barrage of distributed denial of service (DDoS) attacks on banks across America between 2011 and 2013, in a campaign called Operation Ababil, Hultquist added.
In March 2016, the U.S. named Iranian contractors, most notably little-known organizations ITSecTeam and Mersad Company, in indictments for the DDoS attacks. Iran denied involvement in those attacks. The Iranian embassy in London hadn't responded to enquiries about the FireEye report.
Hultquist described the Nasr Institute as "shadowy." "It's a name that often comes up when you're talking about Iranian actors. It appears to overlap with the Iranian government," Hultquist added. "It's shadowy and that's probably deliberate." Alongside the widespread use of personas across Facebook and LinkedIn, Iran's hackers are actively infiltrating myriad industries. And, despite the Nasr Institute's shadiness, in recent months the regime doesn't appear to care who knows it.
Download SafeUM — communicate privately, without advertising and spam.