By Eric Auchard
FRANKFURT, Sept 20 (Reuters) – Hackers likely linked to Iran’s government are behind attacks on Saudi and other Western aerospace and petrochemical firms, signalling a rise in Iranian cyber-spying prowess, U.S. security firm FireEye said on Wednesday.
A FireEye report dubbed the new hackers group APT33 and detailed evidence of its activities since 2013 in seeking to steal military and aerospace secrets, while also gearing up for attacks with potential to bring down entire computer networks.
FireEye identified APT33 after it was called in to conduct forensic investigations into cyber attacks on a U.S. aviation organisation, a Saudi business conglomerate with aviation holdings, and a South Korean group with interests in oil refining and petrochemicals. FireEye declined to name the firms.
In a separate but related move last week, the U.S. Treasury Department named two Iran-based hacking networks and eight individuals to a U.S. sanctions list, accusing them of taking part in cyber-enabled attacks on the U.S. financial system.
FireEye said APT33 was the first state-backed group from Iran to join a list it has compiled over the past decade that identifies campaigns by Chinese, Russian and North Korean cyber spies. APT stands for “Advanced Persistent Threat”.
“Iranian fingerprints are all over this campaign, and government fingerprints in particular,” John Hultquist, FireEye’s director of cyber espionage analysis, told Reuters in an interview. “Right now we are seeing a lot of activity that seems to be classic cyber espionage.”
Hultquist said APT33 shared some tools with, but appeared to be distinct from, around 15 distinct hacking groups with Iranian ties that security researchers have identified in recent years with names like “Shamoon”, “RocketKitten” and “Charming Kitten”.
The Kitten nomenclature reflected the once low level of respect for Iran’s hacking capabilities in the past, some experts have said.
FireEye said the attacks against the Saudi and South Korean groups occurred as recently as May and used email credential phishing techniques that involved posting fake job vacancies for Saudi oil jobs to lure corporate victims.
Speaking to reporters on Wednesday, FireEye Chief Executive Kevin Mandia said Iranian cyber espionage had grown in sophistication since he first spotted Iranians conducting rudimentary attacks on the U.S. State Department in 2008.
“They’re good. (They’ve) got a real capability there,” Mandia said of Iran. In the investigations of attacks on Western companies and governments that FireEye is hired to do, Iran now ranks with China and Russia in terms of frequency, he said.
Iran has been scaling up its cyber capacities since the United States and Israel carried out a cyber assault on Iran in 2010, now known as the “Stuxnet” worm, aimed at disabling centrifuges in its nuclear programme, the FireEye CEO noted.
Mandia said Iranian cyber tactics operated according to different rules depending on whether it targeted Saudi Arabia, its regional arch-enemy and theological rival, or the United States.
“They have different rules of engagement when they are operating in the Middle East; they don’t destroy stuff in the U.S.,” he said.
Iranian links include the use of the Farsi language in malware used to mount attacks and the fact that hackers observe the Islamic Republic’s work week – taking Thursdays off, among other evidence.
FireEye found some ties between APT33 and the Nasr Institute – which other experts have connected to the Iranian Cyber Army, an offshoot of the Revolutionary Guards – but it has yet to find any links to a specific government agency, Hultquist said.
He said APT33 had built a destructive attack capacity into the malware used to infect Western companies, but there was no evidence so far they had activated this tool. However, FireEye believes it is only a matter of time before the group graduates from intelligence gathering to causing lasting damage.