London, 16 May – In April, US computer security experts had to combat a threat from a gang of hackers, believed to be Iranian, who were trying to hack into the network of a military contractor.
Had the hackers been successful, it could have been a major problem for US national security, but luckily, the defenders managed to block them at every turn.
The defenders believe that Russia may have been involved in this hacking attempt, as the Iranian hackers were using a toolset that belonged to a Russian mercenary hacker who attacked Ukraine in 2015 and shut down parts of the country’s power grid.
Carl Wright, an executive at TrapX, the Silicon Valley security firm that thwarted the hackers last month, said: “This is the very first time we’ve catalogued an attack where Iranian hackers are working with Russian hackers-for-hire.”
TrapX cannot name the victim of the attack due to confidentiality agreements.
Tom Kellermann, a computer security expert who previously served as the chief cybersecurity officer at Trend Micro, the Tokyo-based security giant, and was a member of a commission advising the Obama administration on online security, said that this Iran-Russia hacking partnership was “historic”.
He said: “Iranian hackers have dramatically increased their cyber weaponry and tactical proficiency as a result.”
The Iranian hackers, known as OilRig, have previously hacked oil companies in Saudi Arabia and Israel, before targeting military, financial and energy companies in Europe and the US.
However, security experts have dismissed the Iranian hackers as the “B-Team” arguing that they are not as advanced as Chinese, Russian or Eastern European hackers.
Moshe Ben-Simon, vice president of TrapX Labs, the company’s research arm, noted that 70% of the code used in April’s attack was identical to that used by OilRig in the past but the final stage was completely different.
He said: “It was a departure from anything they’ve done in over 200 documented attacks.”
He noted that it took weeks to crack the tool and extract information.
Other security experts note that it is possible for the Iranian hackers to have taken the Russian hacking tool without permission and customise it.
TrapX rebuts this though, noting that several of the web domains were registered to a Russian alias and three of the emails are still being used in Russian hacking forums and on the Dark Web.
Wright also notes that the hacker has been renting out services on the Dark Web.