An Iranian hacking group has moved from politically motivated website defacements to a new specialty – cyberespionage.
The group known as the Ajax Security Team has been outed as the perpetrators of a number of espionage operations against U.S.-based defense contractors in addition to targeting Iranians using software that bypasses the country’s Internet filters.
Security company FireEye reported today that the Ajax Security Team uses custom-built malware in its attacks, and is adept at social engineering as a means of infecting targets.
“The transition from patriotic hacking to cyber espionage is not an uncommon phenomenon. It typically follows an increasing politicization within the hacking community, particularly around geopolitical events,” researchers Nart Villeneuve, Ned Moran, Thoufique Haq and Mike Scott wrote today. “This is followed by increasing links between the hacking community and the state, particularly military and/or intelligence organizations.”
Iranian hacker groups have long been suspected in the attacks against Saudi Aramco using wiper malware known as Shamoon which destroyed more than 30,000 workstations at the oil plant in Saudi Arabia. FireEye said Iran’s offensive hacking capabilities have evolved since the country’s nuclear and political resources were targeted by Stuxnet and Flame.
The attackers, like most in advanced persistent threat-style campaigns, try to trick victims into either installing malware on computers or giving up credentials. In a campaign disclosed by FireEye called Operation Saffron Rose, the Ajax Security Team used email, private messages over various social networks, phony log-in pages and peddling of anticensorship software spiked with malware that allows them to monitor victims and exfiltrate data from their machines.
The lure in attacks against the defense industrial base, for example, was a phony registration page impersonating the IEE Aerospace conference. The group registered a domain similar to the legitimate conference domain and emailed targets a link to their site. Once on the site, a popup directs the victim to install proxy software in order to access the site and register. The software is malicious, FireEye said.
The attackers also used phishing emails looking to gather up credentials for a variety of online services such as Outlook Web Access and VPN logins.
FireEye said the hackers use homegrown malware they call Stealer. A dropper leaves behind malware called IntelRS.exe and other components that encrypt stolen data, steal browser information such as bookmarks and history, steal data via FTP and drop keylogger and screenshot-grabbing tools. The malware also collects system information such as running processes, IP addresses and lots more.
The operation dates back to late last year, and was active as recently as April 8, FireEye said.
FireEye said it has information on 77 victims from one of the attackers’ command and control servers. Most of the victims’ machines in the attacks peddling spiked anticensorship tools were set to Iran Standard Time or had a Persian language setting.
“We believe that attackers disguised malware as anti-censorship tools in order to target the users of such tools inside Iran as well as Iranian dissidents outside the country,” the researchers said.
FireEye also identified the founding members of the team, hackers known as HUrr!c4nE and Cair3x, both of whom were known for website defacements and were members of different Iranian hacker forums. The researcher said the pair, including others prominent on Iranian forums have become increasingly political, targeting the U.S. and Israel in particular in blogposts. Their activity, however, has been minimal since early this year, FireEye said.
“While the objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, the relationship between this group and the Iranian government remains inconclusive,” the researchers said. “For example, the Ajax Security Team could just be using anti-censorship tools as a lure because they are popular in Iran, in order to engage in activities that would be considered traditional cybercrime.”