FireEye, which has been responsible for uncovering many prominent cyber espionage attacks, recently discovered yet another one when it found out that Iranian hackers were behind the alleged spying and hacking of several companies in the US, Middle East, and Asia. The companies which have been spied upon are mostly connected to the petrochemical industry, military, and commercial aviation.
A Hacking Pattern Emerges
If one observes carefully, a pattern emerges from the findings of Mandiant, a subsidiary of the security firm FireEye. The findings reveal that petrochemical industry related hacking was carried out mostly within the Middle East countries, which suggests that the information obtained will be used by the country to stay on top when it comes to petroleum.
Similarly, military and aviation-related spying indicate that attacker is preparing itself for a war, if such a need arises. For a long time, Iran has been identified as a country responsible for state-sponsored hacking and cyber espionage related activities. If the Mandiant research and conclusions are accurate, it will confirm these suspicions.
FireEye Names The Group Of Hackers APT33
Being dubbed as APT33 – where APT stands for Advanced Persistent Threats – it seems the group of hackers has targeted its victims mostly through spear phishing attacks. John Hultquist, director of intelligence analysis for FireEye, has been quoted as saying, “These campaigns demonstrate the depth of Iran’s cyber capabilities. Actors like APT33, now narrowly focused on the Middle East, are the tools Iran will reach for if they choose to carry out attacks in the future”.
More On FireEye’s Findings
The findings also reveal that hacking activity was most prevalent from Saturdays to Wednesdays – which seems to correspond exactly with the Iranian work week. FireEye was able to trace back its research to Iran when it came across the activity of the hacker who goes by the pseudonym “xman_1365_x”. Xman_1365_x is a hacker identity that has been linked with the Iranian Nasr Institute – a suspected Iranian government hacking organization.
It has also been found out that APT33 has been operational since 2013. And as a part of its modus operandi, it sends phishing mails to its targets, typically containing lucrative job advertisements. The emails usually include a malicious link, which—when clicked—will supposedly launch a backdoor on the target’s PC.
FireEye also found some similarities in the malware used by APT33 to that of Shamoon, the Iran-linked cyberattack which literally wiped out nearly three-quarters of the computers at the Saudi Oil Company in 2012. The constant stream of cyber espionage attacks emerging out of Iran has made it one of the West’s most dangerous cyber adversaries, along with Russia, China, and North Korea.
Elaborate Cyber Attacks May Follow
Knowing well the prolonged tension between the US and Iran, the security community believes that Iran may have equipped itself with more elaborate cyber attacks—with the recent reconnaissance conducted by APT 33 being the precursor—which it may unleash on its enemies if such a need arises. It is widely believed that the US and Israel were behind the attacks launched on Iran’s nuclear program with malware named Stuxnet in 2010. Therefore maybe it’s time Iran retaliated on a large scale with its own malware.