FRANKFURT – Hackers probably linked to Iran's government have hit Saudi and Western aerospace and petrochemical firms, marking a rise in Iranian cyberspying prowess, security firm FireEye said on Wednesday, an assessment shared by other U.S. experts. A FireEye report on Wednesday dubbed the hacker group APT33 and offered evidence of its activities since 2013 in seeking to steal aviation and military secrets, while also gearing up for attacks that might cripple entire computer networks. In a separate but related move last week, the U.S. Treasury Department added two Iran-based hacking networks and eight individuals to a U.S. sanctions list, accusing them of taking part in cyber-enabled attacks on the U.S. financial system. Iran's Islamic Revolutionary Guard Corps, elements of which were also added to the U.S. sanctions list, was not immediately available for comment when contacted by phone by Reuters on Wednesday, the end of the country's working week. FireEye identified APT33 after it was called in to investigate cyberattacks on a U.S. aviation organization, a Saudi business conglomerate with aviation holdings and a South Korean group with interests in oil refining and petrochemicals.
A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector. The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it's one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections. "On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors," Adam Meyers, VP of Intelligence told ZDNet today. "These messages purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website," he added. "Individuals receiving the emails worked at organizations in a range of sectors including in think tank, law enforcement, government, and business information services.
Until now, Silicon Valley's efforts have been focused almost exclusively on Russia, as revelations over the past year about Moscow's influence operations targeting U.S. politics put pressure on social-media giants to detect and remove Kremlin-sponsored campaigns. Iran's tactics are different, cybersecurity experts said, focusing on advancing its foreign policy interests in ways not as extreme as Russia's efforts to disrupt U.S. elections. Iran's moves have expanded as the toll of international sanctions against the nation rose and tensions between Washington and Tehran increased. Tech companies are also under renewed pressure as a number of top executives are slated to testify before Congress in early September about how their internet platforms were hijacked by foreign actors and what they are doing to prevent future abuses. Google's investigators uncovered evidence that the accounts it took down are connected with the Islamic Republic of Iran Broadcasting, which has been under U.S. sanctions since 2013, and date back to at least January 2017.
The software Accenture discovered contains a number of digital clues linking it to Iran. Some samples contain messages in the Farsi language and link to computers based in Iran, it said, while others are designed to avoid locking up Iranian computer systems with ransomware. Accenture warned of Iran's hacking ambitions in a report Tuesday. It outlines hacking activities attributed to the Iranian government, though the company says the ransomware it has found could have been created by government-backed actors or Iranian criminals, or both. Ransomware has grown into a scourge for both governments and businesses.
The U.S. has released its most detailed report yet on accusations that Russia interfered in the U.S. presidential election by hacking American political sites and email accounts. The 13-page joint analysis by the Department of Homeland Security and the FBI is the first such report ever to attribute malicious cyber activity to a particular country or actors. It was also the first time the U.S. has officially and specifically tied intrusions into the Democratic National Committee to hackers with the Russian civilian and military intelligence services, the FSB and GRU, expanding on an Oct. 7 accusation by the Obama administration. The report said the intelligence services were involved in "an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens." It added, "In some cases, (the Russian intelligence services') actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack."