FireEye has published a new report that examines the activities of a hacking group likely based in Iran that has progressed from primarily defacing websites in 2009 to more sophisticated espionage attacks targeting U.S. Defense Organizations and Iranian Dissidents today.
Dubbed “Operation Saffron Rose” by FireEye, the report analyzes the group, which FireEye researchers are dubbing the Ajax Security Team, and suggests that the attackers’ methodologies have “grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber attacks against Iran in the late 2000s.”
The Ajax Security Team uses malware tools that do not appear to be publicly available, the report said, and it is unclear to the researchers if the group operates alone or if they are a part of a larger coordinated effort.
“We have seen this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware,” the report said. “Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used publicly available exploit code in web site defacement operations.”
The attackers also circulate anti-censorship software that has been infected with malware.
“The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime,” the report explained. “This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.”
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”
According to the report, FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
FireEye was able to indentify 77 victims from one command-and-control (CnC) server found while analyzing malware samples disguised as Proxifier or Psiphon.
According to victim data collected by FireEye:
• 44 had their time zone set to “Iran Standard Time,” and 37 of those also had their language set to Persian.
• Of the 33 victims that did not have an Iranian time zone setting, 10 had Persian language settings
• 12 of the victims had either Proxifier or Psiphon installed or running (all 12 had a Persian language setting, and all but one had their time zone set to “Iran Standard Time”)
Over the past year, another group called Izz ad-Din al-Qassam launched “Operation Ababil,” a series of DDoS attacks against many U.S. financial institutions including the New York Stock Exchange.
“While the relationship between actors such as the Ajax Security Team and the Iranian government is unknown, their activities appear to align with Iranian government political objectives,” the report concluded.
“While the Ajax Security Team’s capabilities remain unclear, we know that their current operations have been somewhat successful as measured by the number of victims seen checking into to an Ajax Security Team controlled CnC server. We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.”
“Iran has been a big concern for the US for some time, with their development of nuclear power means and the several year cyber attack against their government networks, be it from the U.S. or other countries,” Adam Kujawa, head of Malware Intelligence at Malwarebytes, told SecurityWeek in an emailed statement.
“While the malware being used by Iran is unique, it’s functionality is not novel, meaning that while it appears to have a cyber defense/attack presence, it is still far behind other countries like the U.S. or China,” Kujawa continued.
“Whether a nation state or a crime ring, these groups are smart, sophisticated, and well-funded,” added Eric Chiu, president and co-founder of HyTrust. “It also confirms that attacks are being carried out more and more from the inside — many of these groups use social engineering and APTs to steal employee credentials to gain access to corporate networks where they can install malware to steal data or cause damage. Given this emerging trend, companies really need to shift to an inside-out model of security and assume the bad guy is already on the network.”
The full report is available online.
*Updated with additional commentary.