FireEye has published a new report that examines the activities of a hacking group likely based in Iran that has progressed from mostly defacing websites in 2009 to more sophisticated espionage attacks against targeting U.S. Defense Organizations and Iranian Dissidents today.
Dubbed “Operation Saffron Rose” by FireEye, the report analyzes the group, which FireEye researchers are dubbing the Ajax Security Team, and suggests that the attackers’ methodologies have “grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber attacks against Iran in the late 2000s.”
The Ajax Security Team uses malware tools that do not appear to be publicly available, the report said, and it is unclear to the researchers if the group operates alone or if they are a part of a larger coordinated effort.
“We have seen this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware,” the report said. “Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used publicly available exploit code in web site defacement operations.”
The attackers also circulate anti-censorship software that has been infected with malware.
“The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime,” the report explained. “This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.”
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”
According to FireEye, the targets of Operation Saffron Rose include Iranian dissidents and U.S. defense organizations. FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
FireEye was able to indentify 77 victims from one command-and-control (CnC) server found while analyzing malware samples disguised as Proxifier or Psiphon.
According to victim data collected by FireEye:
• 44 had their time zone set to “Iran Standard Time,” and 37 of those also had their language set to Persian.
• Of the 33 victims that did not have an Iranian time zone setting, 10 had Persian language settings
• 12 of the victims had either Proxifier or Psiphon installed or running (all 12 had a Persian language setting, and all but one had their time zone set to “Iran Standard Time”)
Over the past year, another group called Izz ad-Din al-Qassam launched “Operation Ababil,” a series of DDoS attacks against many U.S. financial institutions including the New York Stock Exchange.
“While the relationship between actors such as the Ajax Security Team and the Iranian government is unknown, their activities appear to align with Iranian government political objectives,” the report concluded.
“While the Ajax Security Team’s capabilities remain unclear, we know that their current operations have been somewhat successful as measured by the number of victims seen checking into to an Ajax Security Team controlled CnC server. We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.”
The full report is available online.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:FireEye Details Elevated Attack Skills by Iranian-Linked Hacker GroupGE Acquiring Wurldtech to Expand Critical Infrastructure Cyber Protection URL Shortener Bit.ly Says Account Credentials Possibly CompromisedIncapsula Takes Aim at CloudFlare With Boosted Network Capacity Most Financial, Energy Firms Expect Sophisticated Attacks in Next 12 Months
Tags: NEWS INDUSTRY