Iranian attackers target dissidents and US defence firms
Ajax Security Team conducting full-blown cyber-espionage, says FireEye report
An Iranian group of cyber-attackers, dubbed the Ajax Security Team, has progressed from defacing websites in 2009 to full-blown cyber-espionage today, according to a new report released by FireEye.
The report, Operation Saffron Rose, details the activities of these Iranian cyber-attackers. FireEye said that its researchers recently observed the Ajax group conducting cyber-espionage on defence companies in the US. The group also targets Iranian users of Proxifier and Psiphon, anti-censorship technologies that bypass Iran's internet filtering system, FireEye added.
FireEye said that it had uncovered information on 77 victims from one command-and-control server found while analysing malware samples disguised as Proxifier or Psiphon. Analysing data on the victims, a large concentration had their time zones set to "Iran standard time" or their language set to Farsi, FireEye said.
Despite only being capable of defacing websites in 2009, FireEye said that Ajax's methodologies have grown more consistent with other advanced persistent threat (APT) actors in and around Iran.
"There is an evolution underway within Iranian-based hacker groups that coincides with Iran's efforts at controlling political dissent and expanding its offensive cyber capabilities," said Nart Villeneuve, senior threat intelligence researcher at FireEye.
"We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets' machines for longer-term initiatives."
The group uses social engineering tactics to lure targets into infecting their systems with malware, according to the report.
It is unclear whether Ajax operates on its own or as part of a larger, government-coordinated effort. FireEye said that the team uses tools that do not appear to be publicly available, nor used by any other known cyber-espionage groups. However, FireEye said that members of the group have previously used publicly available exploit code to deface websites.
Iran was first identified as advanced cyber-threat actor in 2009, when the plans for a new US presidential Marine Corps One helicopter were found on a file-sharing network in Iran. In 2010, the Iranian Cyber Army disrupted Twitter and Chinese search engine Baidu, and in 2013, it was reported that Iranian actors had increased efforts to disrupt US critical infrastructure.
Meanwhile, just last month, a Mandiant report stated that Iranian attackers had been conducting surveillance on the energy sector and state governments. However, in that report, Mandiant stated that the attackers it had witnessed seemed less capable than other nation-state actors.