The Iran Hacks Cybersecurity Experts Feared May Be Here

Credit to Author: Lily Hay Newman| Date: Tue, 18 Dec 2018 12:00:00 +0000

In May, President Donald Trump announced that the United States would withdraw from the 2015 nuclear agreement, negotiated by the Obama Administration, designed to keep Iran from developing or acquiring nuclear weapons. As part of that reversal, the Trump administration reimposed economic sanctions on Iran. From the start, the US actions stoked tensions and fear of Iranian retaliation in cyberspace. Now, some see signs that the pushback has arrived.

Iranian state-sponsored hacking never stopped entirely; it has continually targeted neighbors in the Middle East, and often focused on the energy sector. But while concrete attribution remains elusive, a wave of recent digital attacks has led some security analysts to suggest that Iranian state-sponsored hackers may have ramped up their digital assaults against the US and Europe as well.

"If you look at these groups, they’re not hacking for money, what they’re doing is very much nation state motivations," says Eric Chien, a fellow in Symantec's security technology and response division. "So if we continue to see some sort of geopolitical issues in the Middle East, you’re definitely going to see continued attacks. If those geopolitical issues start to get resolved then you’ll see it go back to background noise. It’s very reactionary, and very much related to what’s going on in the geopolitical world."

Chien stresses that attribution is murky for recent incidents and that it's not known whether Iran has launched a comprehensive campaign.

"They hit a handful of organizations on a scale you can count on your fingers all at the same time, and then they sort of disappear again."

Eric Chien, Symantec

The most direct potential tie to Iran comes from a new wave of attacks utilizing a variant of the famously destructive virus called Shamoon. Known for its use in a 2012 attack on the Saudian Arabian state-backed oil company Saudi Aramco, Shamoon attempts to exfiltrate, wipe, and neuter servers and PCs it infects, giving attackers access to a target's information while wreaking havoc on their systems. One of the victims so far was the Italian oil company Saipem. The company says that it will be able to recover from the incident without losing data, but would not say who it suspects was behind the attack. Saudi Aramco is a large Saipem customer.

Researchers who have tracked Shamoon for years say that the new variant has similarities to its predecessors, which were attributed to Iranian state-sponsored hackers. This doesn't definitively mean that this new malware was created by the same actor, but so far analysts say that the new Shamoon attacks recall past assaults.

The actors behind Shamoon "have this sort of habit of going away with years even in between and then suddenly showing up again," Chien says. "And then when they show up they hit a handful of organizations on a scale you can count on your fingers all at the same time, and then they sort of disappear again."

This tracks with Saipem's public comments about the incident, as well as Symantec research that indicates Shamoon hit two other gas and oil industry organizations the same week—one in Saudi Arabia, and another in the United Arab Emirates. Researchers at the security firm Anomali also analyzed a new Shamoon sample that may be from a second wave of attacks. And analysts at the threat intelligence firm Crowdstrike say they have seen evidence of multiple recent victims.

Recent Shamoon activity is a continuation of the malware's resurgence in 2016 and 2017, according to Crowdstrike vice president Adam Meyers. But while the previous iterations of Shamoon was more of a static tool for exfiltrating and wiping data, a new version emerged in 2016 that could be modified to have different combinations of functionality. It could be customized to encrypt and overwrite files, destroy the boot device, wipe attached hard drives, destroy the operating system, or wipe special prioritized files. Crowdstrike sees the recent attacks as leveraging that flexibility, rather than representing a new generation of the malware, which it says strengthens the link to Iran. Other firms have called the malware used in these latest attacks "Shamoon 3," suggesting that it is instead a next-generation variant that may or may not have originated with Iranian hackers.

One of the challenges of assessing Shamoon incidents has always been the lack of visibility into how hackers deploy the virus on a target system. They generally seem to appear out of nowhere, and drop the malware without leaving much of a trace of how they first got on the network and expanded their access. Symantec's Chien says there is some evidence that other, related groups may be harvesting credentials and other information from targets in advance, then passing them to the Shamoon group for easy entry.

"Iran has targeted the West before and will continue to do so."

Adam Meyers, Crowdstrike

Elsewhere, a prominent hacking group known as Charming Kitten has ramped up its activities as well. Often tied to Iran, Charming Kitten is known for aggressive, targeted phishing campaigns that aim to gather as many login credentials as possible. The group is more consistently active than the attackers behind Shamoon, but still cycles through quieter periods followed by periods of increased action. The British security firm Certfa published findings last week on probable Charming Kitten attacks against US Treasury officials, Washington DC think tanks—a favorite Charming Kitten target—diplomatic groups, and others.

"Iran has targeted the West before and will continue to do so," Crowdstrike's Meyers says. "Certainly visibility into some of the groups that are responsible for enforcing sanctions against Iran, like the Treasury, that's going to be within their interest and things that they would want to target."

Still, the landscape remains complicated. The latest Charming Kitten activity hasn't been definitively attributed to Iran, as Symantec's Chien points out. And other hackers that seem to be active right now—like the group APT 33—have previously been linked to Iran, but haven't been visible enough in recent months for analysts to be sure about the origin of the new initiatives. Plus, researchers are still debating the intent behind the most recent Shamoon attacks.

"For some groups, a lot of the evidence of a link to Iran looks at victim profiles and it's basically every country in the Middle East except Iran," Chien says. "And definitely Saudi Arabia seems to always be in that mix as a target. So that type of thing is not a hard link in itself. But if you just look at the Shamoon activity alone, which the US has said is Iran, you could say Iranian hacking is up."

All of it paints an admittedly muddled picture. But researchers say that one thing is clear: Regardless of where exactly the attacks are coming from, analysts who predicted a spike in Iranian hacking of some sort are now getting one.

Updated December 19, 2018 9:40 am to include clarification from Symantec.

https://www.wired.com/category/security/feed/