Iran-Sponsored Hackers Have Targeted Israel, Saudis, Turkey Since 2014

Hackers linked to the Iranian government have conducted a long-term cyberespionage operation against government and industry in Israel, Kuwait, Lebanon, Qatar, Saudi Arabia, Turkey and the United Arab Emirates, according to FireEye, a cybersecurity firm, NBC News reports.

In a new report, FireEye says the operation by the group it dubs APT34 is “largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014.” The Middle East targets include government agencies and private industries, including financial, energy, chemical and telecommunications sectors, the company says.

FireEye bases its assessment that APT34 works on behalf of the Iranian government on clues that include references to Iran, the use of Iranian infrastructure and targeting that aligns with Iran’s interests.  The hackers sometimes breached networks through spearphishing, a technique designed to get users to open a file in email that secretly installs malware on their computer.

“APT34 is a proficient threat group that has proven particularly effective at leveraging spearphishing emails and social engineering to compromise target networks. The group has continually refined and enhanced its tactics, techniques and procedures to successfully target victims and once in a victim’s environment moves rapidly to dump credentials, establish persistence and conduct extensive reconnaissance to facilitate successive operations,” said Nicholas Richard, principal threat intelligence analyst at FireEye.

U.S. intelligence officials have long considered Iran to be a highly capable adversary in cyberspace. In 2013, hackers from Iran’s Islamic Revolutionary Guards Corps infiltrated the computer controls of a small dam 25 miles north of New York City, according to American officials.

The international intelligence agency always has a keen interest in Iran’s hacking activity. And new research published by the security firm FireEye on Thursday indicates the country’s efforts show no signs of slowing. In fact, a new network reconnaissance group— FireEye calls them Advanced Persistent Threat 34—has spent the last few years burrowing deep into critical infrastructure companies.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.

FireEye researchers tracked 34 of the group’s attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. The group appears to target financial, energy, telecommunications, and chemical companies, and FireEye says it has moderate confidence that its hackers are Iranians. They log into VPNs from Iranian IP addresses, adhere to normal Iranian business hours, their work has occasionally leaked Iranian addresses and phone numbers, and their efforts align with Iranian interests.

There isn’t definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.

”The more we divulge things we know about them, the more they’ll shift and change. We have seen, and this is with a lot of the Iranian actors, a very disconcerting or aggressive posture towards critical infrastructure organizations. APT 33 has targeted a lot of organizations in critical infrastructure in the Middle East and so has APT 34. They obviously represent opportunities for intelligence collection. But we always have to think about the alternative use of those intrusions or accesses as possible means for disruption and destruction, especially given the destructive incidents we’ve already seen with other Iranian actors,” says John Hultquist, director of intelligence analysis at FireEye.

To establish what Hultquist describes as beachheads, APT 34 uses involved operations to move deeper and deeper into a network, or exploit a toehold within one organization to pivot into another

While the APT 34 Iranian hacking activity doesn’t appear to target the United States, any Iranian efforts in that space are noteworthy. The countries have a long history of cyber antagonism, which includes the deployment of Stuxnet, malware thought to be a product of the NSA and their Israeli counterparts, to cripple Iran’s uranium enrichment activities. Tensions between the countries have escalated recently as well, with President Donald Trump recently taking steps to decertify the nuclear agreement between the U.S. and Iran.

APT 34 uses malicious Excel macros and PowerShell-based exploits to move around networks. In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882, which affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. It was patched by Microsoft on November 14.

“The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas.  The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution,” ,” FireEye explained.

This surge in digital espionage – which has predominantly come in the form of spearphishing emails, strategic web compromises and breached social media accounts distributing malware – saw Iranian groups attempt to covertly gather business secrets and sensitive personal communications, according to Eyal Sela, head of threat intelligence with cybersecurity company ClearSky Security.

The targeted organizations range in location, with some strictly based in the U.S., some U.S.-based with locations in the Middle East and others solely located in Europe. Among the hardest hit were U.S. companies with a presence in the Middle East.

FireEye and ClearSky are not the only firms to notice a spike in activity. Blake Darché, co-founder of U.S. cybersecurity firm Area 1 Security, said the company has “observed a considerable increase in Iranian targeting operations.” CrowdStrike, another large U.S. cybersecurity firm with international clients, also said Iran-backed hacking operations skyrocketed in 2017.

Adam Meyers, vice president of intelligence with CrowdStrike, said this escalation was perhaps most evident within the Middle East, where Iran’s relations with its geographic rivals like Saudi Arabia have deteriorated.

ClearSky recently found evidence connecting two previously attributed groups to attacks against individuals living in several countries, including Iran, the U.S., Israel, the UK, the United Arab Emirates and India. Commonly known as “Charming Kitten” and “Rocket Kitten,” the Iranian groups targeted individuals involved with academia, human rights or media, the company said.