California-based public cybersecurity firm FireEye has exposed a new Iranian cyber-espionage group APT39 that is believed to be behind an “unprecedented” hacking campaign that targets telecommunications, travel and high-tech industries in the Middle East. Unlike other cyber threats that have been linked to influence-based operations or disruptive attacks, ATP39 is focusing on widespread theft of personal information.
“APT39’s focus on personal information likely supports the planning, monitoring, and tracking of intelligence operations that serve Iran’s national priorities,” said Benjamin Reed, Senior Manager of Cyber Espionage Analysis, FireEye.
The cyber espionage group also targets government entities suggesting a secondary intent to access sensitive geopolitical data. The group’s activity shows it accessing proprietary or customer data that could be used to facilitate similar future campaigns. It is important to note that ATP39’s targeting not only represents a massive threat to the telecommunications, travel and tech industries in the Middle East, but also extends to the clientele and individuals in these industries – all of whom become potential targets across multiple verticals.
Key findings in CISCO’s cybersecurity reports
94 percent – Companies in the Middle East or Africa who admitted being victim to a cyber attack in the past year
48 percent – Attacks in the Middle East that resulted in damage of more than $500,000
58 percent – Organizations in the Middle East and Africa that have suffered public scrutiny due to a breach
APT39’s systematic attack
The latest cyber espionage group APT39 uses a mixture of publicly available and customized malware and tools to target individuals, industries and governments.
It makes the initial breach through phishing emails containing malicious attachments and hyperlinks. The group also registers and leverages domains that pretend to be legitimate web services, and masquerades as organizations that are relevant to specific targets. Additionally, it routinely identifies vulnerable web servers to install web shells and uses stolen credentials to compromise Outlook Web Access services.
Once the group establishes a foothold and escalates its privileges, it maintains a presence and then archives stolen information for strategic use.
Iran’s role in growing cyber threats
Cybersecurity firm FireEye has been tracking the group for more than five years. It has noticed that APT39 uses similar methods, digital infrastructure, timing and malware to APT34 – a cyber espionage group also known as “OilRig”. Both these cyber threats have links to Iran and are believed to be collaborating or sharing resources.
“APT39 marks the fourth Iranian cyber threat actor FireEye has elevated to the designation Advanced Persistent Threat,” Benjamin Reed said.
Cyber espionage group APT39’s activity sheds crucial light on Iran’s potential global operational reach. The country is said to be using cyber operations as a low-cost tool to collect important data on perceived “national security threats” and, thus, hopes to gain an advantage over its regional and global rivals.
The number of credible threats and significant cyberattacks has risen more than 50 percent in the past three years, according to a recent report from global law firm Linklaters. North Korea and Iran are believed to have become more active in cybercrime during this period, with many nations including the U.S., UK, and countries in the Middle East pointing fingers at them for cybersecurity breaches.
In December 2018, two Iranian men were indicted in the United States in connection with a ransomware attack that wreaked havoc in Atlanta, with extortion schemes targeting governmental entities and businesses alike.
“Iranian hackers are behind several cyberattacks and online disinformation campaigns in recent years as the country tries to strengthen its clout in the Middle East and beyond”, a Reuters Special Report published in November 2018 states.
Analysts believe that strong sanctions placed on Iran coupled with its lag in technological advancements could be the cause of government-backed cybercrime. Iran has denied reports of being tied to cybercrime through years.
Iran’s tryst with cybercrime:
1992: Iran welcomes the internet
2002: Hacking forum Ashiyane is created – later used to suppress dissidents
2009: Iranian Cyber Army takes Twitter offline for several hours
2010: Iranian President Mahmoud Ahmadinejad acknowledges Stuxnet attack on Iran’s Natanz nuclear facility
2011: Iranian hacker breaches Dutch security firm DigiNotar, allowing the government to spy on Gmail users
2012: Cyber collective called Parastoo hacks into IAEA servers in response to Stuxnet
2012: Iranian cyber espionage campaign – Madi malware – comes to light
2012: Saudi Aramco targeted by malware agent Shamoon
2014: Iranian hackers target Las Vegas Sands and wipe thousands of sensitive files
2016-17: Saudi Arabia targeted in Shamoon 2 attacks