Analysts
uncover new 'highly active' espionage group believed to be from Iran
BY MORGAN
CHALFANT - 07/25/18 08:00 AM EDT
20
© iStock
A U.S.-based cybersecurity firm has
uncovered a new “highly active” espionage group believed to be based
in Iran that is breaking into networks of government organizations
and other firms located in the Middle East.
Symantec released information early Wednesday
on the hacking collective, which researchers have dubbed “Leafminer.” The group
is allegedly targeting organizations in Saudi Arabia, the United Arab
Emirates, Qatar, Kuwait, Bahrain, Eqypt, Israel and Afghanistan.
Leafminer’s targets reportedly cut across
several sectors, including energy, telecommunications, financial services,
transportation and government.
Vikram Thakur, technical director at
Symantec, told The Hill that the group has been active since early 2017 but
“ramped up” its activity between the end of last year and the start of 2018.
Thakur said the organization is “continuing to conduct attacks as of right
now.”
ADVERTISEMENT
Through its research, Symantec obtained a
target list of roughly 800 organizations catalogued based on their country of
origin that analysts believe serves as a blueprint for the espionage group. The
list was written in Farsi, leading analysts to conclude that the hackers are
based in Iran.
“All the target organizations, they have
some kind of political discourse ongoing
with Iran, and Iran is actually missing from the list
themselves,” Thakur said. “From an analytics perspective, that just adds to the
fact that they’re likely to be from Iran.”
While Symantec does not have evidence
linking the group to the Iraniangovernment, Thakur said it is “possible”
the group is operating on behalf of a nation-state.
Symantec observed the group firsthand
executing attacks on about 40 different organizations; in some cases, the
hackers were blocked outright, and in others gained some sort of foothold in
victims’ networks.
The hacking group uses a mix of publicly
available hacking tools and custom malware to execute its attacks, including
the infamous “EternalBlue” exploit leaked by the group Shadow Brokers last
year, which is widely believed to have been developed by the National Security
Agency.
The group uses a variety of tactics to
infiltrate its targets, such as watering hole attacks — a strategy in
which a hacker infects a website that would-be victims typically visit in order
to ultimately infiltrate their targets’ systems. Analysts observed hackers
compromising a Lebanese intelligence agency website in one such instance.
The hacking group has also scanned the
internet to uncover vulnerabilities on networks that can be then exploited, and
also executed brute-force login attempts.
The group is primarily interested in
hacking into victims’ emails to harvest communications and other data, likely
for espionage purposes, analysts say.
Broadly, security professionals
have observed Iranian hackers expanding their operations
and growing more sophisticated in their attack methods. This has
included Iran-based hacking groups stepping up operations on
international organizations, including those located in the Middle East and
the United States.
While Thakur does not believe Leafminer to
be particularly sophisticated in terms of its technical capabilities, he
suspects the group could expand its operations to other countries given its
broad list of targets, which includes multinational organizations.
“Some of those Middle Eastern
organizations might have branches or subsidiaries in Western countries and
hackers might get opportunistic,” Thakur said.
“I do believe that their targeting is
going to be, if it’s not already, beyond” the countries listed, he said.
http://thehill.com/policy/cybersecurity/398663-analysts-uncover-new-highly-active-espionage-group-believed-to-be-from
مطالب مارا در وبلاک خط سرخ مقاومت ودر توئیتربنام @BAHAREAZADY دنبال کنید
