May 16-2014
Iranian hackers have become increasingly aggressive and sophisticated, moving from disrupting and defacing US websites to stealing information and money, security experts told a conference sponsored by Reuters this week.
They are now targeting both American defense firms—to steal technology—and Iranians who use technology to try to evade Iranian web censorship—to put those Iranians back under state controls.
According to Silicon Valley-based cybersecurity company FireEye Inc., a group that FireEye has tagged as the “Ajax Security Team” has become the first Iranian hacking group known to use custom-built malicious software to launch espionage campaigns.
Ajax is behind an ongoing series of attacks on US defense companies and has also targeted Iranians who are trying to circumvent Tehran’s Internet censorship efforts, a FireEye report issued Tuesday said.
Leonard Moodispaw, chief executive of cybersecurity firm KEYW Corp, said Iranian hackers appeared to be increasingly spying and stealing money but are not yet launching Stuxnet-like destructive attacks.
“They are more interested in IP [Internet Protocols] and taking money than in shutting anybody down,” Moodispaw told the Reuters summit. KEYW’s biggest customers are US intelligence agencies.
Many security experts have said Iran is behind a series of denial-of-service attacks that disrupted the online banking operations of major US banks over the last two years. But those attacks have mainly been annoyances for the bank’s customers; they did not steal or destroy information or money.
Michael Hayden, former director of the CIA and the National Security Agency, told the Reuters Cybersecurity Summit Monday, “I’ve grown to fear a nation state that would never go toe-to-toe with us in conventional combat that now suddenly finds they can arrest our attention with cyber attacks.”
Security experts say Iranian hackers stepped up their campaigns against foreign targets in the wake of the Stuxnet attack on Tehran’s nuclear program in 2010. The Stuxnet computer virus is widely believed to have been launched by the United States and prompted Iran to ramp up its own cyber programs.
According to FireEye, the Ajax Security Team was formed by hackers known as “HUrr!c4nE!” and “Cair3x,” and began by defacing websites. The group became increasingly aggressive after Stuxnet, FireEye researcher Nart Villeneuve said.
“This is a good example of a phenomenon that we are going to increasingly see with hacker groups in Iran. If their objective is to attack enemies of the revolution and further the govern-ment’s objectives, then engaging in cyber espionage is going to have more impact than website defacements,” he said.
To foil Iranians who are sneaking around Iranian state Internet controls, Ajax hunts outs and attacks Iranian users of Proxifier and Psiphon, two of the most popular anti-censor technologies.
One question invariably is whether Ajax is really Iranian or from somewhere else and just masquerading as Iranian. FireEye said it isolated 77 victims of Ajax attacks for using Proxifier or Psiphon. It said 44 of the victims had their time set for “Iran Standard Time,” while 10 of those in other time zones had Persian language settings, showing that 70 percent of Ajax’s victims were likely Iranians.
In one recent campaign, the Ajax hackers infected computers of US defense companies by sending emails and social media messages to attendees of the IEEE Aerospace Conference directing them to a fake website called aeroconf2014.org, which was tainted with malicious software, FireEye said.
FireEye declined to name the companies that were targeted and said that it had not been able to determine what data might have been stolen.
The Ajax hackers used a malicious software dubbed “Stealer” that sought to collect data about compromised computers and record keystrokes, according to FireEye. It could also grab screen shots and steal information from web browsers and email accounts.
“Stealer” encrypted that data, temporarily stored it on compromised machines, then sent it to servers controlled by the hackers.
Using “Stealer,” Ajax ran a separate operation that targeted people who were using software to try to circumvent Iran’s system for censoring content, FireEye said.
Villeneuve said FireEye had also uncovered evidence that Ajax engaged in credit card fraud, which he said suggests the hackers were not under the direct control of the Iranian government.