While hackers linked to China, North Korea and Russia have dominated headlines over the past year, similar groups in Iran have caused significant damage while drawing far less attention.
Multiple cyber-espionage groups attributed to Iran became increasingly active over the last 12 months, as at least four entities with ties to the regime have broken into a wide array of organizations, according to private sector cybersecurity experts and three former U.S. intelligence officials with knowledge of regional activity.
“For the first time in my career, I’m not convinced we’re responding more to Russia or China,” FireEye CEO Kevin Mandia said in a report published by the company on Thursday. “It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state-sponsored.”
This surge in digital espionage — which has predominantly come in the form of spearphishing emails, strategic web compromises and breached social media accounts distributing malware — saw Iranian groups attempt to covertly gather business secrets and sensitive personal communications, according to Eyal Sela, head of threat intelligence with cybersecurity company ClearSky Security.
The targeted organizations range in location, with some strictly based in the U.S., some U.S.-based with locations in the Middle East and others solely located in Europe. Among the hardest hit were U.S. companies with a presence in the Middle East.
FireEye and ClearSky are not the only firms to notice a spike in activity. Blake Darché, co-founder of U.S. cybersecurity firm Area 1 Security, said the company has “observed a considerable increase in Iranian targeting operations.”
Charles Carmakal, a vice president with FireEye subsidiary Mandiant, told CyberScoop that the incident response company is currently handling multiple U.S.-based data breaches caused by Iranian hacking groups. He noted that while there have been several destructive cyberattacks in the Middle East this year, Iran-linked hackers were typically less disruptive when breaking into U.S. systems.
CrowdStrike, another large U.S. cybersecurity firm with international clients, also said Iran-backed hacking operations skyrocketed in 2017.
Adam Meyers, vice president of intelligence with CrowdStrike, said this escalation was perhaps most evident within the Middle East, where Iran’s relations with its geographic rivals like Saudi Arabia have deteriorated.
“Between November  and early 2017, that was when for me I really began to see how comprehensive Iran’s cyber capabilities had become because they were simultaneously running so many operations in Saudi Arabia all at once,” said Meyers.
“We saw some noticeable advances in their techniques and tools, like coding changes made to Shamoon [destructive malware]. And that showed I think that what was happening in Saudi Arabia was concentrated. This wasn’t some script kiddie trying to steal documents … it was a coordinated, probably military, endeavor.”
A mission exposed
ClearSky recently found evidence connecting two previously attributed groups to attacks against individuals living in several countries, including Iran, the U.S., Israel, the U.K., the United Arab Emirates and India. Commonly known as “Charming Kitten” and “Rocket Kitten,” the Iranian groups targeted individuals involved with academia, human rights or media, the company said.
“The new report is mostly focused on the actions of a well-documented Iranian group, Charming Kitten, but there’s others we see very active right now as well, including Copy Kitten, OilRig, Greenbug and Magichound, ” Sela said, calling each group by names familiar to the security research community.
Though ClearSky’s latest research is about dissidents, Sela said other targets and victims exist.
Jay Rosenberg, a senior security researcher with cybersecurity company Intezer Labs, confirmed to CyberScoop that OilRig continues to be engaged in cyber-espionage. The group recently sent out a barrage of spearphishing emails to a “multitude of different industries such as financial institutions, technology companies, and universities,” Rosenberg said.
In September, FireEye discovered a newly uncovered group that it called APT33. FireEye said at the time that APT33 had been caught attempting to spy on aerospace and energy companies headquartered in the U.S., Saudi Arabia and South Korea.
On Thursday, FireEye researchers spotted another hacking campaign with ties to Iran, launched by a separate group it calls APT34. This campaign targeted a series of Middle Eastern governments by taking advantage of a recently discovered remote code execution vulnerability in Microsoft Office.
FireEye researchers say the rise of APT33 and APT34 is emblematic of a larger trend.
We 1st started seeing Iranian threat actors ~2014, but really ramped up in 2016/17 & now account for almost 50% of recent @Mandiant investigations. They are harder to group/cluster than other nations threat actors due to fluidity of operators between groups #APT33, #APT34, #APT3?
— Christopher Glyer (@cglyer) December 7, 2017
The reason for this considerable uptick in nation-state hacking is twofold.
To begin with, Darché said, the Iranian government is partially behind the rise in Iran-linked hacking activity.
“Iran spends considerable time in the early kill chain, gathering valuable targeting information against their potential victims for their phishing campaigns. The IRGC (Islamic Revolutionary Guard Corps) in particular continues to expand the scale of the targeting efforts,” Darché, a former NSA analyst, said. “This may be, in part, due to the IRGC’s concerns regarding the Trump administration’s polices,” including the White House’s skepticism about the nuclear arms deal it made with the U.S. and other world powers in 2015.
Another explanation may be due to an improvement in capabilities compared to years prior.
A growing talent pool in Iran — with contributions from defense contractors, government spies, undeterred random individuals and even university students — is providing the regime with a workforce that’s ready and able to hack into foreign targets, explained Carmakal.
A profession in cybersecurity — regardless of whether it is defensive or offensive oriented — continues to be a lucrative option in the developing world.
The big-name breaches
Attacks coming out of Iran have directly affected several high-profile U.S. brands, including an incident involving the television network HBO.
The Justice Department accused an Iranian contractor in mid-November for the HBO breach. ClearSky was able to connect the Iranian contractor, Behzad Mesri, to past Charming Kitten exploits with “medium confidence.”
Additionally, two former officials tell CyberScoop that Iranian hackers were also behind the recently disclosed data breach at global accountancy firm Deloitte. These officials, both of whom now work in the private sector, spoke on condition of anonymity in order to freely discuss a sensitive investigation.
The Deloitte incident focused on a Microsoft Azure database which was improperly accessed around October 2016. The server contained the emails of an estimated 350 clients, including four U.S. government agencies. Sources told CyberScoop six clients were directly affected by the breach; matching a figure from other media reports.
CyberScoop obtained a number of IP addresses used by hackers in the course of their operation to breach Deloitte last year. This is not a complete list:
ISP: Fastvps Eesti Ou
ISP: FastNetwork INC
ISP: Fastvps Eesti Ou
A review of these IP addresses shows how the hackers used various proxies to obfuscate their actual location. It’s not uncommon for cybercriminals or nation-state hackers to rely on various foreign hosting services in order to cover their tracks.
Deloitte did not provide a statement to CyberScoop. A spokesperson pointed to an online fact sheet that does not attribute responsibility for the breach.
Forbes reported in October that the OilRig group was behind a fake female Facebook profile that targeted a specific Deloitte employee focused on cybersecurity matters. After gaining the trust of the target, the fake account, named “Mia Ash,” sent the employee malware in a message which he then proceeded to download.
While Forbes reported that the catfishing incident and October 2016 breach weren’t related, a former U.S. official told CyberScoop these events were “not disconnected.” The source failed to elaborate further.
It’s not clear if OilRig was the group responsible for the Deloitte breach.
A ‘convoluted’ mess
Maj. Gen. Nadav Padan, who heads the Israeli Defense Force’s command, control, computer, communications and intelligence (C4I) division, recently said at a Reuters cybersecurity conference that he had personally watched Iran-linked groups get “better and better” in recent years.
Measuring the size of Iranian-linked hacking operations compared to those coming from Russia, China or even North Korea is another question entirely. Experts say it’s nearly impossible to conclusively determine a single data point that quantifies these operations as a whole.
“It is sort of convoluted because each [Iranian hacking] group is different and we only know what we can see,” Sela said. “So the question is are we only seeing a small percentage of what’s going on? I don’t know … But I can tell you that with some of these groups, they have a really big attacker infrastructure … So it seems like maybe they are doing a lot more than what [cybersecurity companies] are aware of.”
Mandia similarly noted that while Iranian hacking groups appear to be far busier today than in early 2016, it’s difficult to accurately measure the volume or scope of ongoing operations.
“In 2017, Iran really started acting at scale, and I think to myself, ‘Just how big is that scale?’ We don’t know if we are seeing five percent of Iran’s activities, or 90 percent – although I’m guessing it’s closer to five percent,” Mandia stated in a report published Thursday by FireEye.
Writing any comprehensive analysis on Iran’s expanding cyber-espionage apparatus is strenuous because of the simple fact that attribution in cyberspace remains an imperfect science.
A white paper published Tuesday underscores technical challenges with connecting various different breaches back to Iran.
The paper, authored by independent security researchers Collin Anderson and Claudio Guarnieri, describes that because of the diverse toolsets used and operational security followed by Iranian hackers, researchers can only point to these various groups having, at best, a tentative, singular tie back to Iran.
“Like Iran’s ‘mosaic defense’ military organizing structure, the hacking efforts are clearly more decentralized and fluid than countries with advanced cyber warfare operations,” the paper reads. “This makes tracking and attributing attacks originating from Iran all the more complex.”
In 2005, the IRGC introduced this concept of “mosaic defense” to Iran’s military doctrine, which centers on the use of “passive defense” to discourage attacks, according to the RAND Institute.
The decision by the IRGC meant that the country’s industrial defense base would become immediately more diffuse as cities and local government organizations received additional operational authority to independently react to threats against the homeland. Scholars believe the concept now extends to Iran’s private sector.
An attack rationale
The attacks have taken place during a time of increased tension with the west, including President Donald Trump’s threats to end a vital arms deal which currently handicaps Tehran’s ability to create nuclear weapons.
“Computer network operations are one way for Iran, as a conventionally weaker military side, to even things up,” described Kenneth Geers, a senior research scientist with cybersecurity firm Comodo. “The internet has sparked a golden age of espionage, which may allow Iran to discover whether President Trump’s confrontational rhetoric has more bark than bite.”
Geers said it’s no surprise Iran has turned to hackers given the country’s many geopolitical challenges.
“Iran recently signed a controversial nuclear deal, labeled the U.S. its ‘Enemy Number One,’ experienced a decline in relations with Saudi Arabia, conducted ballistic missile tests … and deepened its involvement in the Syrian, Iraqi, and Afghan civil wars,” said Geers, who is also a senior fellow with foreign policy think tank The Atlantic Council. “[Iran] is surely attacking and defending computers on each of these cyber battlefields.”
*Zaid Shoorbajee contributed to this report
-In this Story-