Iranian Hackers are Hard at Work

Iranian hackers have launched sustained attacks on the social networking service LinkedIn with the support of the Iranian government, a new report has revealed. The attacks, which use malware to infiltrate individual and company accounts, have specifically targeted companies with links to the United States and countries in the Middle East. 

The research was published by cybersecurity agency FireEye, and reveals that state-sponsored hackers known by the name APT34 attempted to infiltrate personal and public computers and infect them with spy malwares. The group created fake accounts on LinkedIn and sent their targets malicious links to infect their accounts. In one instance, an account given the name "Rebecca Watts" was set up to lure potential targets. 

The FireEye report follows on from Microsoft revelations that as many as 10,000 accounts had been compromised on its platforms, and further reports on the growing expertise of Iranian hackers and the risk to citizens' privacy and security.

Iranian hackers have a long history of disrupting social networks and other websites, targeting journalists and political activists, as well activists involved with women’s rights, the environment, and civil society. They have also infiltrated private and public organizations and their employees. Hackers like APT34 tend to gather as much data as they can from targeted individuals, and also build a picture of how these individuals are linked. 

According to the FireEye report, APT34’s chief targets since 2014 have been companies and organizations working in energy and the financial sectors in the United States and Middle Eastern countries. They have also targeted government-linked accounts in these countries. 

But how do they operate? In the case of the fake Rebecca Watts account, the hackers set up and posted regularly on a profile on LinkedIn, introducing "her" as an academic teaching at Oxford University in the United Kingdom. People or groups connecting with her profile received an Excel document during normal business hours asking them to open the file in a Windows environment for security reasons. When the user opened the file, the malware software was engaged, giving the hacker full access to the information stored on the user’s computer. 

 

Iran’s Hackers and Microsoft Accounts

Iranian hackers are often experts in social engineering and phishing attacks, where URLs designed to look like bonafide business or institutional websites are set up and the links to them sent to unsuspecting individuals or companies. They might not be experts in computer technology, but these hackers have become adept at using refined tactics to target specific individuals in order to access the sought-after information.  

In fact, some cybersecurity experts have stated that Iranian state-sponsored hackers are some of the most sophisticated in the world when it comes to phishing attacks. They are accomplished at setting up phony accounts and identities, and they follow their victims closely, studying their lifestyles and hobbies, and often gaining their trust before infecting their personal accounts and devices. 

Microsoft has also published details of its efforts to counteract hacking and cyber attacks during the last year. Posting on its "Microsoft on the Issues" official blog, the tech giant said it had issued direct warnings to more than 10,000 groups and people with Microsoft accounts — 84% of them belonging to organizations and 16% personal accounts — that they had been targets of state-sponsored hacking attacks. 

According to Microsoft, Iran, Russia and North Korea were responsible for a majority of these attacks. Hackers focused on NGOs, think thanks, and human rights and democracy activists. The report also mentions hacking of the USA 2016 presidential election and says countries including Iran, Russia and North Korea are trying to find new ways to infiltrate the 2020 presidential election as well. 

Six months ago, in December 2018, Associated Press reported on research conducted by a London-based cybersecurity institution called Certfa. It outlined how some Iranian hackers using the name “charming kittens” hacked the online accounts of US officials. At least 77 accounts belonging to US treasury officials, as well as the accounts of several nuclear scientists, were compromised. One of the compromised individuals was a senior US official working with the inter-governmental Financial Action Task Force (FATF), which identifies and combats money-laundering and the financing of terrorism.

However, some Iranian activists who live in exile outside Iran also been targeted. 

Kevin Miston, one of Certfa’s researchers, told IranWire: “In recent years, many Iranian state-sponsored hackers have emerged and tried to access different information for various campaigns. In general, their main mission is to access secret and classified strategic and geopolitics information and also financially hurt some of the target organizations. However, the main thing that we saw from them so far were social engineering campaigns and phishing attacks. In the instance of 'charming kittens', we collected evidence that proved Iranian state-sponsored hackers are specifically designing new techniques to target US officials and people involved in economic and military sanctions against Iran.”

Miston added that he thought one of the most important outcomes of the research and analysis was discovering the Rebecca Watt fake account. “Hackers used 'Rebecca’s' account to infect victims with malware. But we should keep in mind that Rebecca [Watt] was not the only fake account run by them and exposing her won’t stop them from creating more fake accounts like hers. Another important point to the FireEye report is that Iranian hackers are now combining their traditional phishing attacks with controllable malware to help them design multi-level social engineering campaigns. They first gain the trust of their victims and then use the malwares to infect them. Iranian hackers are getting better at this day by day.”

Prior to its June 2019 official blog post, Microsoft revealed in March 2019 that Iranian state-sponsored hackers had targeted thousands of personal accounts and more than 200 companies and caused millions of dollars in damages. The company stated that it had blocked 99 phishing websites belonging to Iranian state-sponsored hackers, and said that in addition to the phishing sites, hackers sent legitimate-looking emails infected with malware to target their victims. Their targets were journalists, civic and political activists, nuclear scientists, and US army employees, as set out in the AP report. 

According to a Wall Street Journal article also published in March 2019, after stealing what they need, Iranian hackers usually delete all the information on their victims’ devices. 

APT34 was responsible for some of these attacks, along with another group called “Holmium,” according to the Wall Street Journal article. It said they targeted natural gas and oil companies and heavy machinery manufacturers located in a number of countries including Saudi Arabia, the United Kingdom, Germany, India and the United States.

In May 2019, the Iran Human Rights Campaign reported that Iranian hackers have made considerable advances in malware design over the last year — targeting ethnic groups, including against the website administrators and managers for Majzooban Noor, a online platform for Iran’s Gonabadi Dervish community. 

According to the campaign group’s research, some of these phishing attacks, carried out by hackers based in Urmia in West Azerbaijan, were designed to be carried out on the messaging app Telegram with the aim of directing followers of particular channels to fake domains in order to infect their accounts and computers with malware. 

 

Iranian Officials Also Targeted

However, hackers do not limit their attacks to dissidents in exile and foreign companies. In some cases, state-sponsored hackers have even targeted Iranian officials. For example, in early 2019, Member of Parliament Alireza Rahimi claimed that a classified email between Foreign Minister Javad Zarif and President Hassan Rohani had been leaked and then published — a reference to Zarif’s February 2019 resignation after he was not informed of or invited to a meeting with Syrian president Bashar al-Assad. “Zarif knows that his email and conversations with the president were compromised and published on websites, but he has stayed silent because he is used to it and does not seek drama,” Rahimi said. In the end, Zarif did not resign.

Other targeted Iranian officials include Rouhani’s advisor Hesam-al-Din Ashna, former vice president for women and family affairs Shahindokht Molaverdi, figures in the administration, and members of the president's family.

Amir Rashidi, a cybersecurity expert who works on privacy and access to the internet for the Iran Human Rights Campaign, talked to IranWire about the Iranian government’s official stance on the hackers who work for them.“They have not take a positive nor a negative stance on this. Even Rouhani, who tries to convey his messages with jokes and metaphors, has not raised this issue. This silence is weird, since it’s not clear whether they deem this issue to be important.”

Rashidi says that the government’s approach and its cybersecurity agenda have not changed much during Rouhani’s administration compared with his predecessors. What has changed is that there is newer technology. “For example, for some period of time, we did not have [any problems with the] two-stage verification [method of protecting data], and the hackers could only use phishing and malware. But now they have created fake second stages for verification to target [people] inside the country and gain access to their accounts. However, outside Iran they are still limited to phishing and malware. Politically, nothing has been changed.” But Rashidi said one recent attack targeting 74 accounts was one of the “cleanest hacking jobs” he could cite.

Rashidi pointed to human rights organizations’ condemnation of and warnings about government-supported hackers, and their concerns over privacy. He indicated that despite the international attention these attacks are receiving, it is hard to see how the malicious attacks can be stopped. “Wars have their own rules. For example, if a party attacks civilians or murders prisoners of war, he has committed a war crime and will be prosecuted in an international court,” he said, warning that cybercrimes were less adequately supported by international legislation. "It’s such chaos that any government does whatever it wants. Also, in a physical war, soldiers wear uniforms and weapons are branded, which makes it easier to identify the wrongdoers, but in a cyber attack it’s hard to identify the real person responsible for the attack. People can fake their credentials online. We have no international treaty to regulate this space.”

Today the world will not always witness a physical war between states. Now the real wars will be cyber wars. The most famous example of such a war was “Staxnet,” which entered an Iranian network via a USB connection and dismantled some of Iran’s nuclear infrastructure, including damaging centrifuges. In November 2010, former president Mahmoud Ahmadinejad stated at a press conference that the virus had been designed by western governments.

Another example of cyberwar is Iran’s Shamoun malware, which targeted Saudi Arabian nuclear plants. In this attack, the Islamic Republic attempted to use Hebrew-language domains and names to blame Israel for the attack, but after a short time, these claims were debunked, and Iran was exposed as being the responsible party.