Advanced threat activities by Iran-linked group: FireEye

• Attacks targeting US defence organisations and Iranian dissidents
• Also targets users of anti-censorship technologies Proxifier or Psiphon

SECURITY specialist FireEye Inc has released Operation Saffron Rose, a research report detailing the activities of a cyber-espionage group likely based in Iran.
 
The group, which FireEye researchers are dubbing the Ajax Security Team, has progressed from mostly defacing websites in 2009 to full-blown espionage against Iranian dissidents and US defence firms today, FireEye said in a statement.
 
Evidence in the report suggests that Ajax’s methodologies have grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber-attacks against the nation in the late 2000s.
 
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye.
 
“We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics.
 
“We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives,” he said.
 
The targets of Operation Saffron Rose include Iranian dissidents and US defence organisations, FireEye said.
 
FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defence industrial base within the United States.
 
The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
 
Whether the Ajax Security Team operates in isolation or as part of a larger government-coordinated effort is unclear, FireEye said.
 
The team uses malware tools that do not appear to be publicly available or used by any other threat groups. This group uses varied social engineering tactics to lure targets into infecting their systems with malware.
 
Although FireEye Labs has not observed the Ajax Security Team using zero-day attacks to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.
 
FireEye uncovered information on 77 victims from one command-and-control (CnC) server found while analysing malware samples disguised as Proxifier or Psiphon. Analysing data on the victims, FireEye found that a large concentration had their time zones set to ‘Iran Standard Time’ or language set to Persian.
 
Iran has been publicly identified in advanced cyber-attacks since 2009, when the plans for a new US presidential Marine Corps One helicopter were found on a file-sharing network in Iran.
 
In 2010, the ‘Iranian Cyber Army’ disrupted Twitter and the Chinese search engine Baidu, redirecting users to Iranian political messages.
 
In 2013 the Wall Street Journal reported that Iranian actors had increased their efforts to compromise US critical infrastructure, and finally, over the past year, another group called Izz ad-Din al-Qassam launched ‘Operation Ababil,’ a series of DDoS (Distributed Denial of Service) attacks against many US financial institutions including the New York Stock Exchange.
 
A PDF of the Operation Saffron Rose report is available here and a related blog post is here.
 
Related Stories:
 
Govt malware: Why and how it’s used, and is it cyber-war?
 
Bitcoin wallet attacks surge, cyber-espionage ops resurrected: Kaspersky
 
Mikko’s world: Governments, factories and washing machines
 
Stuxnet, Flame and the new world disorder
  
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.