CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Iranian Hackers Lurked for 8 Months in Government Network

Iran-linked hacking group Crambus spent eight months inside a compromised network of a Middle Eastern government, Broadcom’s Symantec cybersecurity unit reports.

Cyber Av3ngers hackers

Iran-linked hacking group Crambus spent eight months inside a compromised network of a Middle Eastern government, Broadcom’s Symantec cybersecurity unit reports.

Symantec uses the Crambus name for clusters of activity that other cybersecurity firms are tracking as APT34 (also known as Cobalt Gypsy, OilRig, and Helix Kitten), and MuddyWater (aka Mango Sandstorm, Mercury, Seedworm, and Static Kitten).

Both APT34 and MuddyWater engage in espionage operations to support the objectives of the Iranian government, and MuddyWater was previously linked by US Cyber Command to Iranian intelligence.

As part of a recently identified attack, Crambus lurked between February and September 2023 in the compromised network of the government of a Middle Eastern country, stealing data and credentials, and deploying malware on multiple systems.

The attack started on February 1 with the execution of a PowerShell script on a single system. Malicious activity started on a second compromised system a few days later, and on a web server towards the end of February. In April, the attackers started executing commands on a domain controller.

While malicious activity was seen only on these systems until August, a second web server and additional systems were compromised toward the end of August and into September.

“Malicious activity occurred on at least 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more,” Symantec says.

As part of the attack, Crambus installed a PowerShell backdoor dubbed PowerExchange, which can access Microsoft Exchange Servers using hardcoded credentials to monitor for emails sent by the attackers and execute PowerShell commands, write files, and steal files.

Advertisement. Scroll to continue reading.

Additionally, the attackers used the network administration tool Plink to set port-forwarding rules and enable access via the Remote Desktop Protocol (RDP), and modified firewall rules to ensure remote access.

In addition to the PowerExchange backdoor, Crambus was seen deploying three new malware families, namely the Tokel backdoor (for PowerShell command execution and file download), the Dirps trojan (PowerShell command execution and file enumeration), and the Clipog infostealer (clipboard data theft, keylogging, and logging of processes where keystrokes are entered).

Related: Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks

Related: Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability

Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Nation-State

Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.

Cyberwarfare

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...

Nation-State

A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.

Nation-State

Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, upping the stakes...