Iran Hackers ‘Hitting Dissidents And US Defence’

Most victims of Iranian hacker crews based inside the country, as attackers take up digital espionage in earnest, researchers find

Security researchers have noted a rise in the sophistication of digital attacks stemming from Iran, after incidents involving US defence and dissidents within and outside the country.

In particular, a group known as the Ajax Security Team has been carrying out website defacements since 2010, but has moved to malware-based attacks in recent months.

Iran hitting up dissidents

Cyber espionage - © pzAxe - ShutterstockIt has targeted Iranian users of anti-censorship technologies that bypass Iran’s Internet filtering system, such as Psiphon, Ultrasurf, Proxifier and GerdooVPN.

Looking at the command and control infrastructure for malware samples that were disguised as anti-censorship tools, FireEye researchers found 77 victims. Most appear to have been based in Iran itself.

Typical social engineering tactics have been used by the Ajax team. In one case, a fake page for the 2014 the IEEE Aerospace Conference was set up as a lure to trick targets into installing malware.

Convincing password phishing pages have been created by the hacking crew too, including fake Outlook Web Access and VPN login sites.

The hackers are using their own malware, written in .NET, which they’ve named “Stealer”. It collects system information, takes screenshots, carries out keylogging and pilfers usernames and passwords.

Iran has been growing its cyber capability since the Iranian Cyber Army emerged in 2009. It’s also believed Iran has been heavily investing in digital offence and defence partly because of the Stuxnet attacks that disrupted one of the country’s nuclear plants in the late 2000s, as revealed in 2010.

“We believe that Iran is increasingly reaching to hacker groups within the country,” Nart Villeneuve, senior threat intelligence researcher at FireEye, told TechWeekEurope.

“The capabilities of the Ajax Security Team are unclear — they have used a variety of clever social engineering techniques to deliver their malware, the malware itself is not publicly available but the malware’s overall capability is somewhat limited. That said, it provides all the functionality they need to conduct successful attacks.

“Public statements by both US and Iranian officials indicate that Iran is pursuing both offensive and defensive cyber capabilities.”

FireEye suspects some members of the Ajax crew are also involved in cyber crime. One member, HUrr!c4nE!, has been “flagged for possible fraud” against a retailer, according to the researchers.

How well do you know network security? Try our quiz and find out!