Iran Focus
London, 8 Dec – The Iranian Regime’s ever-growing network of hackers- and their various hacks- show no sign of slowing down, according to new research by the security firm FireEye.
The report, published on Thursday, showed that a new Iranian regime network reconnaissance group called Advanced Persistent Threat 34 has spent years infiltrating critical infrastructure companies.
This report, which contains research collected by a team of 34 researchers between 2015 and 2017, is a warning about the danger that the international community could face if Iran isn’t stopped, especially considering their previous aggressive hacks on the financial sector and a New York dam.
APT 34 has been in operation since at least 2014, according to FireEye, and have targeted financial, energy, telecommunications, and chemical companies.
They are using malicious email attachments- like Excel documents- to trick targets into downloading a virus or creating fake social media profiles to lure employees in and trick them into downloading a virus hidden inside an image file.
Jeff Bardin, the chief intelligence officer of the threat-tracking firm Treadstone 71, which monitors Iranian regime’s hacking activity said: “They get in and make a lot of modifications, download new malware, manipulate the memory, so it’s definitely pretty sophisticated. And the Powershell activity has been largely a hallmark of Iranian activity lately. They change their tactics constantly. The more we divulge things we know about them, the more they’ll shift and change.”
Evidence of Iranian regime Involvement
The evidence that APT 34 is Iranian comes from their Iranian IP addresses, the fact that hacks occur during normal Iranian business hours, and that their efforts align with Iranian interests by targeting Iran’s enemies (like political dissidents).
John Hultquist, director of intelligence analysis at FireEye, said: “We have seen, and this is with a lot of the Iranian actors, a very disconcerting or aggressive posture towards critical infrastructure organizations. APT 33 has targeted a lot of organizations in critical infrastructure in the Middle East and so has APT 34. They obviously represent opportunities for intelligence collection. But we always have to think about the alternative use of those intrusions or accesses as possible means for disruption and destruction, especially given the destructive incidents we’ve already seen with other Iranian actors.”
Currently APT 34 doesn’t appear to have targeted the United States, but there are many other Iranian hacking groups that have done that already, such as Charming Kitten, the group behind the HBO hack.
Links to Regime
There is evidence that the hackers are working on behalf of the Iranian Regime- as the targets are so different from the traditional hacking targets. Why would ordinary hackers target people who oppose the Regime (i.e. academic scholars, human rights activists, journalists, and dissidents or exiles)?
The Regime has a long history of employing hackers to target their enemies and conduct cyber espionage as part of the Regime’s so-called Cyber Army.
Hultquist said: “This is yet another example of Iranian cyber capability, which only seems to grow every day. It’s a challenge for people who are concerned with Iranian actors, and as geopolitics shifts, the number of people who should be concerned with Iranian actors will probably only increase.”