Analysts from two security companies, Crowdstrike and Dragos, told Wired that they have seen a new campaign of targeted phishing emails sent to various US targets last week from a news agency. hacker group known as APT33, Magnallium, or refined kitten and widely regarded as working in the service of the Iranian government. Dragos has named the Department of Energy and the US National Laboratories among the half-dozen targeted organizations. A third security company, FireEye, independently confirmed that this was seen in a massive phishing campaign in Iran targeting both government agencies and private sector companies in the United States and Europe, without specifically naming APT33 . None of the companies knew of successful intrusions.
"Essentially, there was a lot John Hultquist, director of threat intelligence at FireEye, said: "We are not sure whether it's about intelligence gathering, information about the conflict or the issue the more important than we have always had is preparation for an attack. "
There are signs that the new targeting campaign is actually a cyber espionage operation, an expected step for Iran given the growing power of knowledge exchange between its government and the United States. . claim to have shot down an American drone that violated his airspace and the Trump administration issuing warnings stating that she could retaliate. But the researchers also noted that APT33 had links to malware destroying the data, and that intrusion attempts could be the first step in this type of aggressive cyberwar operation.
FireEye has previously warned that while APT33 In previous operations focused on traditional espionage, he sometimes seemed to have destructive tools in his arsenal. In 2017, FireEye announced that APT33 had infected some victims with "dropper" malware, used in other attacks, to create a data-destructive code called ShapeShift. Crowdstrike, too, says that it's APT33's fingerprints that appear in some intrusions where another piece of destructive malware known as Shamoon had been used for a series of sometimes devastating Iranian sabotage campaigns across the Middle East.
In at least some of last week's intrusion attempts, hackers sent potential victims an email lure posing as a vacant position of the Council of Economic Advisers, an organization reporting to the Office of the President of the United Nations. White House. The email contained in the link which, if clicked on, is linked to an HTML or HTA application. This in turn launched a Visual Basic script on the victim's machine, which installed a malware payload called Powerton, a kind of multi-purpose remote access Trojan. Powerton's malware, HTA trick, and the lure of work all fit into the APT33's operating mode, which had previously used these techniques against oil and gas targets in the Persian Gulf region. Dragos also notes that the naming conventions of the domains used in the phishing attack infrastructure correspond to the previous attacks.
Adam Meyers, vice president of intelligence services at CrowdStrike, commented that the economic orientation of the job's attractiveness suggested that Iranian pirates were trying to find out more about the Trump administration's intentions regarding its trade sanctions against Iran, rather than more aggressive preparation for the cyberattack. But he does not neglect the fact that, given the right goal, he could later switch to a more destructive sabotage. "I think it's probably a collection of information." But every time they go into this collection, it's possible that it can prepare for other operations, "said Meyers." Depending on what you recover, you make an assessment. You say, "It's a good target, we could do something with that."
Joe Slowik, an analyst at Dragos, notes that even though APT33 is planting mines for a data destruction operation, it's possible they will not trigger them unless the conflict between Iran and the United States United does not deteriorate further. "When shit hits the fan, you can not afford to say" I need cyber now, "said Slowik." So it can be related to having this strategic flexibility in the future without immediate intention to disrupt or destroy, "says Slowik." When you find that the tensions start to rise, it is necessary to specify that access will multiply. "
"The gloves may already be off."
John Hultquist, FireEye
Whatever its current intentions, Iran has a long history of disruptive and destructive cyberattacks against US targets and US allies. After the Stuxnet malware has been revealed Iranian pirates launched in the summer of 2012 to form a joint US-Israeli operation to sabotage an Iranian nuclear enrichment facility unprecedented attack on Saudi Aramco, using the malicious program Shamoon to destroy 30,000 computers, leaving on their screens an image of the American flag on fire. The following month he launched a series of widespread denial of service attacks on the websites of almost every major US bank. In 2014, he launched another data destruction program. attack On the Las Vegas Sands Casino, the owner of the casino, Sheldon Adelson, has publicly suggested that the United States is launching a nuclear weapon against Iran.
But after the Obama administration signed an agreement with Iran that provided for many sanctions against the country in return for Iran's promise to end its nuclear development, these attacks on The West has largely stopped, although they have continued against targets in the Middle East. When Trump canceled this agreement last year, however, cybersecurity experts warned That Iran is likely to restart its destructive piracy operations against the West. In December 2018, Another Shamoon attack hits the network of the Italian oil company Saipem, whose main client is Saudi Aramco, although this attack was not clearly attributed to Iran.
The latest phishing campaign, in the context of the stormy military rhetoric of both Iran and the United States, is raising fears again that the cyberattacks of Iran in the west are no longer in danger. train to run out of steam. "The gloves may have already been removed," says John Hultquist of FireEye. "We will probably be heading to a very very soon, where days of aggressive Iranian activity are likely to come in. If we exchange blows with them in the Gulf, I will not see them holding back."
More great cable stories
(tagsToTranslate) hacking in Iran (t)</pre></pre>