By Jubin Katiraie
Three cybersecurity firms have said that they’ve seen Iranian hackers try to infiltrate a number of US organizations over the past few weeks, as tensions between the two nations continue to rise.
It is not yet known whether the hackers were trying to gather intelligence, aiming to create disruptive cyber attack or both. It is not even known if the Iran hackers managed to successfully infiltrate their targets.
However, security firms Crowdstrike and Dragos have said that they saw a new campaign of targeted phishing emails from hacker group APT33 aimed at a variety of US targets, including the Department of Energy, last week. APT33, also known as Magnallium, or Refined Kitten, is widely believed to be working for the Iranian Regime. While security firm FireEye confirmed that there has been an Iranian phishing campaign targeting government agencies and private companies in the West, but did not mention APT33 specifically.
John Hultquist, director of threat intelligence at FireEye, said: "Essentially, there have been many people targeted since these tensions increased. We're not sure if it's intelligence collection, gathering information on the conflict, or if it's the direst concern we’ve always had, which is preparation for an attack."
While some believe that this may be cyber espionage on behalf of Iran, others note that APT33 has links to data-destroying malware and could be attempting a bigger cyberwar. FireEye previously wanted that APT33 infected some victims with "dropper" malware to plant a piece of data-destroying code, while Crowdstrike assessed that APT33's fingerprints are on intrusions that involved destructive malware known as Shamoon.
CrowdStrike's vice president of intelligence Adam Meyers believes that Iran is likely trying to learn about the US’s intentions around its trade sanctions against Iran, but doesn’t discount the chance of it pivoting to more destructive sabotage.
While Dragos analyst Joe Slowik said that Iran could well be planting mines now that it would detonate later.
He said: "It may be related to having that strategic flexibility in the future with no immediate intention to be disruptive or destructive. When you see tensions start to rise, the need to flesh out that access is going to increase in tandem."
Iran has conducted several hacking campaigns against the US in the past, but this latest one, happening against the backdrop of increased tensions between the two countries, raises fears about how far Iran will go.
Hultquist said: "The gloves may already be off. We’re probably headed for a place very, very soon, where the days of aggressive Iranian activity are likely to return. If we’re trading blows with them in the Gulf, I don’t see them holding back."