Search This Blog

Showing posts with label Iran. Show all posts

Iran Suffers Largescale Cyberattacks, Two Government Organizations Affected

 

In a recent cybersecurity incident, Iran has confirmed that it suffered two significant cyberattacks. One such attack even targeted Iran's government organizations. IT department of the Iranian government reported that the hackers attacked Iran's two major institutions. However, no hacking group has claimed responsibility for the attack as of now. The Iranian government is yet to confirm whether the actors involved in the breach were domestic or foreign. The earlier target of the attacks happened on Monday and Tuesday is still not confirmed by the government. 

Jerusalem Post reports that the Iranian government made the news of attacks official when the incident started getting heat on social media. Another news agency said that the attacks had damaged Iranian ports' electronic infrastructures. Radio Farda, a US-funded agency, says that the attack targets are likely to be Iran's ports, banks, and maritime organizations; the news, however, isn't confirmed. Tasnim, a quasi-official news outlet, reports that the country's spokesperson said the 'nation's sworn enemies carried out the cyberattacks.' 

The organization reports that the government has blocked the attacks' further efforts and has put a stop to the attacker's ambitions. The spokesperson of the Iranian government's IT department, Abolghasem Sadeghi, says that the attack caused various government institutes to stop their internet services temporarily to aoid further damage. He comments on the episode as 'large scale' and says an investigation has been set up to inquire about the breach. The authorities haven't released other information. 

According to the Jerusalem Post, "Iranian Minister of Communications and Information Technology Mohammad Javad Azari Jahromi claimed that its security shield repelled two of the three attacks in December. Jahromi claimed that the Islamic Republic's national cybersecurity wall, known as Digital Fortress or Dezhfa, helped thwart 33 million cyberattacks against the country in 2019, according to Fars News Service." In a similar attack happened last year, it reported "Intelligence and cybersecurity officials familiar with the incident told the Post that the attack was carried out by "Israeli operatives," possibly in retaliation for an earlier cyber attack on Israel's civilian water system."

Iranian Hackers Are Using Thanos Ransomware To Attack Organizations In the Middle East and South Africa

 

Cybersecurity experts discovered clues connecting cybersecurity attacks to Thanos ransomware, which is used by Iranian state-sponsored hackers. Researchers from ClearSky and Profero investigated significant Israel organizations and found cyberattacks linked to an Iranian state-sponsored hacking group named "Muddywater." Experts noticed repetitive patterns with two tactics in these attacks. Firstly, it uses infected PDF and Excel files to attach malware from the hackers' servers if they download and install them. Secondly, Muddywater mines the internet in search of unpatched MS Exchange email servers. 

It exploits the vulnerability "CVE-2020-0688" and deploys the servers with web shells, and again attaches the similar malware after downloading and installing the files. However, according to ClearSky, the second malware is not your everyday malware that is common but rather a unique malware with activities that have been noticed only once before. The Powershell threat is called "Powgoop" and was discovered last month by the experts. Palo Alto Network says that Thanos malware was installed using Powgoop. Besides this, Hakbit or Thanos malware has used other malware strains to install the ransomware called "GuLoader," coded in Visual Basic 6.0, different from other malware strains. 

"On July 6 and July 9, 2020, we observed files associated with an attack on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer "20,000$" into a specified Bitcoin wallet to restore the files on the system," says the Palo Alto report. 

 According to ClearSky, they stopped these attacks before hackers could cause any damage; however, keeping in mind the earlier episodes, the company is now on an alarm. As per experts at ClearSky, they believe that Muddywater uses Thanos ransomware to hide its attacks and infiltrations. They say, "We assess that the group is attempting to employ destructive attacks via a disguised as ransomware attacks. Although we didn't see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor."

Iranian Threat Actors Have Modified Their Strategies, Attacks Now More Effective


Since the dawn of the digital age, Iranian hackers have been infamous for their attacks on critical infrastructures, targeting governments, and hacking large corporate networks. The main motive behind these attacks is getting espionage intelligence, steal confidential information, ransomware attacks, and target massive data networks. Since 2019, the hackers have been using developed strategies that are more effective in causing damage to the targets, resulting in better monetary benefits, says the Bloomsbury news.


Attack details

  • Earlier this year in April, hacking group APT34 (otherwise knowns as OilRig) launched a modified version of the backdoor named 'RDAT.' The backdoor uses the C2 channel, which can hide commands and data under images via attachments. 
  • Earlier this year in May, APT34 also added a new tool to its hacking inventory, known as DNSExfiltrator. The tool has allowed hackers to become the first hacking group that uses the DoH (DNS-over-HTTPS) protocol in its attacks. 

Keeping view of these new modifications in the hacking realm, organizations should know that the criminals are evolving and modifying their methods over time. It suggests that hackers have become more powerful and possess a more significant threat to the cybersecurity world.

Other developments 

  • In August 2020, the FBI issued a security alert about the hacking group going by the name of 'Fox Kitten' attacking potentially weak F5 networks. The hacker's purpose was to attack private and public U.S. government organizations. 
  • In July 2020, making its comeback, threat actor Charming Kitten launched a cyberespionage campaign, using WhatsApp and LinkedIn to imitate Persian speaking journalists. The targets included the U.S. government, Israeli scholars belonging to Tel Aviv and Haifa universities. 
  • In June 2020, an amateur hacking group from Iran attacked Asian companies using 'Dharma' ransomware. 

According to intelligence reports, the hackers used widely available hacking tools to target companies in China, Russia, Japan, and India. From July 2020, threat actor Fox Kitten is also infamous for giving small corporate networks access on hacking forums. According to experts, it is just trying to generate revenue using other income channels, using systems that lack any intelligence value but provide Iran money.

Attack against Saudi Aramco Damages the World's Biggest Oil Producer



With the Saudi government and U.S. intelligence authorities accusing Iran, and Iran accusing the Yemeni rebels, the most recent attack against Saudi Aramco has damaged the world's biggest oil producer and deferred oil production, roiling oil and gas markets.

As of late, Iran has indeed deployed dangerous computer viruses against Saudi Arabia and these attacks have now marked a somewhat "real-world" continuation of this long-stewing cyber war between the two nations, by and by overflowed into other global powers.

Nicholas Hayden, the global head of threat intelligence for cyber intelligence company Anomali, who has served as a cyber-security operator in the electrical sector says that, “There hasn’t been a discernible increase in cyber-attack activity in the region yet but while nothing is standing out right now in the region, there’s a good chance that there are nation-state actors involved, ”

Iran has been notably known for increasing cyber-attacks when it clashes with nations, and that can likewise mean collateral damage in other companies  as well not simply Saudi-owned working together in the area.

“We’re certainly paying more attention than we normally would to that area. When stuff like this happens, we tend to put our ear a little bit closer to the ground.” Says Hayden.

Since, collateral damage is a common symptom of regional cyber conflict, organizations working in Saudi Arabia and beyond ought to likewise be alert for any changes that might hit the region.

The majority of the experts surveyed by CNBC conceded to one end solution, that in spite of the 'economic odds' stacked against them, Iran has turned out to be one of the world's most noteworthy cyber security powers.

John Hultquist, director of intelligence analysis for cyber security company FireEye, included later that, they’ve never been the most technically sophisticated. But they have made up in their brazenness, their willingness to destroy and disrupt. They have really separated themselves on this from others, as if they have nothing to lose.”

Regardless of all this Saudi Aramco yet again declined to comment for the issue when approached.

U.S. Cyber Military Forces Execute Retaliatory Cyber-attack Against Iran




In a retaliatory cyber-attack against Iran, U.S. cyber military forces cut down a database utilized by its Revolutionary Guard Corps to target ships in the Persian Gulf, just hours after 'the Islamic Republic shot down an American Drone'.

Right now, Iran still can't seem to recuperate the majority of the data lost in the attack and is attempting to re-establish military communication networks connected to the database.

As indicated by the Washington Post, the U.S President Donald Trump purportedly approved the U.S. Cyber Command's strike however the government has not openly recognized its occurrence.

A U.S. official who addressed the Washington Post additionally noted that the cyber-attack was intended to harm for Iran – however not to the degree that would further heighten pressures between the two sides.

Elissa Smith, a Pentagon spokesperson said in a statement, “As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence, or planning.”

In spite of the attack, the Islamic Republic has stayed rather active in the Strait of Hormuz, holding onto the English oil tanker Stena Impero in mid-July.

Recently discovered Fox News, it happened in June that Iran shut off a portion of its military radar sites around the time the U.S. was ready to dispatch retaliatory strikes, thusly it’s not clear if those radar sites were killed by cyber-attacks or if Iran shut them off intentionally fully expecting them.

In any case these strikes are not first major operations executed by the U.S. Cyber Command, as the organization a year ago had disrupted a Russian entity's endeavours to utilize Internet trolls to cultivate discontent among American voters during the 2018 midterm elections.


US cyber attacks on Iranian targets not successful: Minister

U.S. cyber attacks against Iranian targets have not been successful, Iran's telecoms minister said on Monday, within days of reports that the Pentagon had launched a long-planned cyber attack to disable his country's rocket launch systems.

Tension runs high between longtime foes Iran and the United States after U.S. President Donald Trump on Friday said he called off a military strike to retaliate for the Middle East nation's downing of an unmanned U.S. drone.

U.S. President Donald Trump said on Saturday he would impose fresh sanctions on Iran but that he wanted to make a deal to bolster its flagging economy, an apparent move to defuse tensions following the shooting down of an unmanned U.S. drone this week.

On Thursday, however, the Pentagon launched a long-planned cyber attack, Yahoo News said, citing former intelligence officials. The cyber strike disabled Iranian rocket launch systems, the Washington Post said on Saturday.

"They try hard, but have not carried out a successful attack," Mohammad Javad Azari Jahromi, Iran's minister for information and communications technology, said on social network Twitter.

"Media asked if the claimed cyber attacks against Iran are true," he said. "Last year we neutralised 33 million attacks with the (national) firewall."

Azari Jahromi called attacks on Iranian computer networks "cyber-terrorism", referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran's nuclear facilities in November 2007.

Stuxnet, widely believed to have been developed by the United States and Israel, was discovered in 2010 after it was used to attack a uranium enrichment facility in the Iranian city of Natanz.

Washington accused Tehran of stepping up cyber attacks.

Officials have detected a rise in "malicious cyber activity" directed at the United States by people tied to the Iranian government, Chris Krebs, director of the Department of Homeland Security's cybersecurity agency, said on Saturday on Twitter.

Twitter removes nearly 4,800 accounts linked to Iran government

Twitter has removed nearly 4,800 accounts it claimed were being used by Iranian government to spread misinformation, the company said on Thursday.

Iran has made wide use of Twitter to support its political and diplomatic goals.

The step aims to prevent election interference and misinformation.

The social media giant released a transparency report that detailed recent efforts to tamp down on the spread of misinformation by insidious actors on its platform. In addition to the Iranian accounts, Twitter suspended four accounts it suspected of being linked to Russia's Internet Research Agency (IRA), 130 fake accounts associated with the Catalan independence movement in Spain and 33 accounts operated by a commercial entity in Venezuela.

It revealed the deletions in an update to its transparency report.

The 4,800 accounts were not a unified block, said Yoel Roth, Twitter's head of site integrity in a blog detailing its actions.

The Iranian accounts were divided into three categories depending on their activities. More than 1,600 accounts were tweeting global news content that supported the Iranian policies and actions. A total of 248 accounts were engaged specifically in discussion about Israel. Finally, a total of 2,865 accounts were banned due to taking on a false persona which was used to target political and social issues in Iran.

Since October 2018, Twitter has been publishing transparency reports on its investigations into state-backed information operations, releasing datasets on more than 30 million tweets.

Twitter has been regularly culling accounts it suspects of election interference from Iran, Russia and other nations since the fallout from the 2016 US presidential election. Back in February, the social media platform announced it had banned 2,600 Iran-linked accounts and 418 accounts tied to Russia's IRA it suspected of election meddling.

“We believe that people and organizations with the advantages of institutional power and which consciously abuse our service are not advancing healthy discourse but are actively working to undermine it,” Twitter said.