Increasing Sophistication of Iranian Attack Tactics Has Striking Similarities With How Chinese Hacker Groups Have Evolved
When it comes to cyber-espionage and nation-state attacks, the accusing finger generally points at China. Last week's report from FireEye indicates that China is not alone, as Iranian cybersecurity capabilities continue to grow, posing a greater threat to U.S. interests.
Iranian cyber-attackers are increasingly moving away from politically motivated attacks such as Website defacement to cyber-espionage, targeting the U.S. defense industry sector, FireEye researchers outlined in the "Operation Saffron Rose" report. What was lost—or glossed over—in the rush to discuss the actual tactics used by these attack groups was the fact that this shift in sophistication has striking similarities with how Chinese attack groups evolved over the past few years.
"We believe that hacker groups in Iran are shifting from website defacements to cyber-espionage, much like Chinese hacker groups did in the past," FireEye researchers told SecurityWeek.
Iran's technological capabilities are growing quickly, and if the same pattern as what happened in China holds, there will be "even more complex and dangerous malware originating from Iran and similar countries," said Adam Kujawa, head of Malware Intelligence at Malwarebytes. The Iranian government will invest in more custom-developed malware, buy zero-day exploits, and employ in-house teams of hackers and programmers to focus on specific areas of interest or targets.
"Within the next 10 years, I think we are going to consider them a serious problem for government networks if this trend continues," Kujawa said.
Rewards and Motivations
The transition from ideologically motivated web site defacements to more sophisticated online actions is typical among patriotic hacking groups, FireEye said in the report. It's likely the members—like their earlier Chinese counterparts—discovered that cyber-espionage was "more rewarding," the report said.
This echoes a recent conversation with JJ Thompson, CEO of Rook Consulting, on how cybersecurity skills are intertwined with patriotism.
Thanks to the abundance of information available online, the barrier for entry for a curious and motivated individual is fairly low. In a country like China, where the welfare of the state is paramount, someone using these capabilities to "defend" the state would be a hero, Thompson noted. At first, it may just be disruptive, annoying behavior, but as the person learns to do more, there is a higher likelihood to be able to do something—steal some highly classified intellectual property, for example— that would be richly rewarded. This is a powerful motivator, Thompson noted.
"Cyber-espionage/warfare capabilities are the new nuclear arms war," Thompson told SecurityWeek. Iran was "embarrassed" by Stuxnet—believed to have been crafted and orchestrated by the United States—and FireEye's report is just an indication that Iran is "now emerging confident enough" in the team's capabilities, Thompson said.
The shift from political hacking to cyber-espionage described by FireEye is also similar to the description of the "seven circles" of hacking in the "cyber-Inferno" outlined by Eugene Kaspersky, CEO of Kaspersky Lab, in a March presentation at Georgetown University.
In Kaspersky's view, "Limbo," or the first circle, referred to researchers and hobbyists experimenting and playing with malicious code. As they refined their skills and learned new techniques, some of the malicious-minded entered the second circle, as "hooligans" intent on wreaking havoc just because they could. The next few circles referred to cybercrime, as attackers learned they could make money with these skills, followed by politically motivated hacking, as attackers lent their capabilities to causes they believed in, and then cyber-espionage, as attackers realized bigger and better rewards.
The final two circles are devoted to nation-state and military attackers and terrorists, Kaspersky said.
Looking at this outline of modern cyber-threat landscape, it's clear that China is already on the level of military and nation-state attacks. FireEye's report hints Ajax Security Team was dabbling with cybercrime (third circle) while making the jump from politically motivated attacks to cyber-espionage. The first jump has already happened, and Iranian nation-state attacks can't be too far behind.
Considering the pattern, U.S. organizations would be severely shortsighted if they do not pay attention to groups from other countries or consider the role national pride may play in cyberattacks.
Actual Objectives Still Unknown
While Mandiant, now a division of FireEye, identified definitive links between attack groups and the Chinese government in a report last year, this FireEye report did not speculate on the relationship between Ajax Security Team and the Iranian government. While the group's activities "appear to align with Iranian government political objectives," it's too early to link the two, because "politically-motivated hacking can take place without any direct state-involvement," FireEye said. Even though the group's motivations and objectives are still unclear, the fact that it is using malware which can steal passwords, log keystrokes, and take snapshots of the desktop of infected computers indicate it is developing data-theft capabilities.
Iranian attackers following the same progression as the Chinese is doubly interesting in light of the U.S. Department of Justice charging five Chinese military hackers, accusing them of stealing trade secrets and other proprietary or sensitive information. Considering it's unlikely the Chinese government would give up members of its military to stand trial in the U.S., this may just result in "a lot of posturing by both countries," said Tom Bain, senior director of security strategy at CounterTack. This may also indicate how the U.S. will deal with other cyber-spies in the future.
FireEye focused on only one group in its report, but Ajax Security Team is not the only one making this transition to data theft and nation-state attacks. Mandiant released a report in April warning that Iranian groups—which FireEye said wasn't Ajax Security Team—were targeting U.S. energy firms. Some U.S. officials also believe the Shamoon virus, which infected, wiped, and destroyed hard drives of infected computers for Saudi energy firm Aramco in 2012, was created by the Iranians.
Which begs the question—if it was the Chinese yesterday and Iranians today, who will be next tomorrow?
Kujawa noted that Syrian attack groups were already using malware such as Blackshades Remote Access Trojan to collect intelligence against other enemies. Pro-government group the Syrian Electronic Army has compromised several media organizations and taken over Twitter accounts in the past year. Other governments have been making custom malware "for years and using it against rival economical systems as well as governments for intelligence collection purposes," he said.
"This is the face of intelligence gathering for the 21st century, just as listening into encrypted radio transmissions was for the post WWII period," Kujawa said.