Iranian hacking group targeting telcos in the Middle East
FireEye identifies hacking group which focuses on stealing personal information for surveillance
Security company FireEye says it has identified an Iranian cyber espionage group which is targeting telecoms operators, as well as travel companies and IT companies in the Middle East.
The ‘APT39' group is mainly focused on theft of personal information, apparently as a means to support Iranian surveillance operations.
FireEye reports that it has been tracking activity linked to this group since November 2014, and comments that the group's widespread theft of personal information is likely used to support monitoring, tracking, or surveillance operations that serve Iran's national priorities. The focus on personal information theft sets it apart from other Iranian hacking groups that have focused on influence operations or disruptive attacks. By targeting telecoms firms, hackers are able to access personal and customer data, and also potentially access communications infrastructure as well.
FireEye said in a statement: "APT39's targeting not only represents a threat to known targeted industries, but it extends to these organizations' clientele, which includes a wide variety of sectors and individuals on a global scale. APT39's activity showcases Iran's potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals."
The APT39 group uses a mix of custom tools and publically available tools at all stages of the lifecycle, typically using spear phishing emails for the initial attack, often using domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.
Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. During privilege escalation, freely available tools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH.
APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip.