Iranian attackers conducting surveillance: report
Attackers targeting energy sector and state governments, says M-Trends Threat Report
Suspected Iranian attackers have been conducting reconnaissance on the energy sector and state governments, according to the latest Mandiant M-Trends Threat Report released by FireEye this month.
The report said that multiple investigations at energy sector companies and state government agencies indicated that threats suspected to originate from Iran are actively engaging in surveillance activities.
The report fell short of flat-out accusing the Iranian government of conducting surveillance, owing to the fact that these Iran-based attackers appear less capable than other nation-state actors.
However, Mandiant cautioned that "nothing stands in the way of them testing and improving their capabilities".
Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of Saudi Aramco and RasGas, two energy companies based in Saudi Arabia and Qatar, respectively. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus.
Mandiant said that it had not directly observed Iran-based actors destroy or degrade its clients' networks. However, the report cited "multiple incidents of what we suspect is Iran-based network reconnaissance activity", with the majority of incidents targeting the energy sector. Several US state government agencies were also targeted, the report said.
According to Mandiant, at a state government office, the threat vector maintained local administrative access, infected about a quarter of the systems with malware, and transferred more than 150 GB of data, including network diagrams, user passwords, and data from network and system admin accounts.
In its investigation, Mandiant observed a number of tell-tale signs that led it to the conclusion that the attacks had originated from Iran. For example, the report noted use of a distributed denial-of-service (DDoS) tool in a client environment that was previously used in 2012 attacks on US banking institutions. These attacks were largely attributed to Iran-based actors.
The report also noted the use of web shells in which English command terms had been translated into Farsi, as well as visits to Iranian-Farsi language blogs and hacker forums while conducting intrusions from various non-Iranian IP addresses. Mandiant also said that there had been multiple individuals who identified their location as Tehran and appeared to actively create exploits that researchers had seen in intrusions into clients' networks.
However, the report said that there was nothing in the attacks that suggested the Iranian attackers possess the range of tools typical of "full-scope" cyber-attackers. These suspected attackers rely on publically available tools and capitalise solely on web-based vulnerabilities, suggesting they have relatively limited capabilities, the report said.
The takeaway, Mandiant said, was that, although the Iran-based threat actors appear to be less sophisticated, they pose an ever-increasing threat due to Iran's historical hostility towards US businesses and government interests.