Forensic probe: cyber attacks linked to Iranian state hackers
Frankfurt — Hackers thought to be linked to Iran’s government are behind attacks on Saudi and other western aerospace and petrochemical firms, signalling a rise in Iranian cyber-spying abilities, US security firm FireEye says.
A FireEye report dubbed the new hackers’ group APT33 and detailed evidence of its activities since 2013 in seeking to steal military and aerospace secrets, while also gearing up for attacks with potential to bring down entire computer networks.
Iran’s Islamic Revolutionary Guard unit was not immediately available for comment when contacted by Reuters.
FireEye identified APT33 after it was called in to conduct a forensic investigation into cyber attacks on a US aviation organisation, a Saudi business conglomerate with aviation holdings and a South Korean group with interests in oil refining and petrochemicals. FireEye declined to name the firms.
In a separate move, the US Treasury department last week named two hacking networks and eight individuals in Iran, accusing them of taking part in cyber-enabled attacks on the US financial system.
FireEye said APT33 was the first state-backed group from Iran to join a sanctions list it had compiled over the past decade that identified campaigns by Chinese, Russian and North Korean cyber spies. APT stands for "advanced persistent threat".
"Iranian fingerprints are all over this campaign, and government fingerprints in particular," John Hultquist, FireEye’s director of cyber espionage analysis, said. "We are seeing a lot of activity that seems to be classic cyber espionage."
APT33 shared some tools with, but appeared to be distinct from 15 hacking groups with Iranian ties that security researchers had identified with names like "Shamoon", "Rocket Kitten" and "Charming Kitten", he said.
The kitten nomenclature reflected the once low level of respect for Iran’s hacking capabilities in the past, some experts have said. The attacks against the Saudi and South Korean groups occurred as recently as May and used e-mail credential phishing techniques that involved posting fake job vacancies for Saudi oil jobs to lure corporate victims, FireEye said.
Iranian cyber espionage had grown in sophistication since he first spotted Iranians conducting rudimentary attacks on the US state department in 2008, FireEye CE Kevin Mandia said.
Iran had scaled up its cyber capacities since the US and Israel carried out a cyber assault on Iran in 2010 aimed at disabling centrifuges in its nuclear programme, the FireEye CEO noted.