AXEL.org

iran hackers

Iran’s State-Sponsored Hackers Continue to Wage Cyber War

Iran’s government-affiliated hacking groups are among the most prolific in the world. While not considered the most sophisticated attackers, they are still a formidable foe for enemies in the Middle East, Europe, and North America.

Backed by the despotic regime

Intelligence indicates many of Iran’s hacker divisions are part of the Islamic Revolutionary Guard Corps (IRGC). The IRGC is responsible for quelling internal political strife and has an unsavory reputation for violently suppressing protests against the current regime[1]. The Corps initially introduced hacker groups to spy on citizen dissidents, but their responsibilities soon grew. Today, they still perform domestic monitoring activities but also engage in global cybercrime efforts, including international espionage and ransomware deployment.

Subfactions galore

Most state-sanctioned hacking enterprises form subgroups within the overarching military or political hierarchy. Iran is no different, employing at least half a dozen Advanced Persistent Threat (APT) groups. Analysts believe some APTs are independent entities with sworn allegiance to Ali Khamenei, the Supreme Leader, while the state directly operates other units.

Known APTs

Fox Kitten

Fox Kitten, aka Pioneer Kitten, aka Parisite, is a well-known APT thought to be under government contract rather than explicit control.  Actors associated with the group recently put hacked corporate intelligence data for sale on the dark web[2]. This suggests Iran isn’t officially operating Fox Kitten, as the government would likely prioritize keeping the intelligence secret over a relatively small payment.

Fox Kitten uses freely-available open-source tools to exploit vulnerabilities in Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) software. Once they gain access to a system, they utilize SSH Tunnelling procedures to encrypt communication with implanted programs and prevent detection. Thus, Fox Kitten can control infected computers remotely to steal vast amounts of sensitive data.

They typically focus on high-value targets in the tech, defense, healthcare, engineering, government, and financial sectors. The bulk of attacks is against organizations in North America and Israel, which offers another clue as to their origins.

Charming Kitten

Charming Kitten, aka Phosphorus, aka Newscaster, is an APT that has been active since 2014[3]. The group is most known for two highly-publicized events.

  • They are the group linked to United States defector Monica Witt. Witt is a former U.S. Air Force intelligence agent who renounced the United States, defected to Iran in 2013, and provided their government with classified intel[4]. She is now working with Charming Kitten to target susceptible military personnel for further espionage.
  • A hacker now understood to be affiliated with Charming Kitten was responsible for the 2017 HBO hack[5]. This was a famous incident where the script for a future’ Game of Thrones’ episode leaked, spoiling it for fans everywhere. Not exactly state secrets, but an embarrassing situation nonetheless. In a strange turn, the United States Department of Justice contends that both Witt and the HBO hacker work closely together at the moment.

Charming Kitten uses phishing techniques to impersonate trustworthy entities. They mainly target journalists, activists, academics, and government institutions with their deceptive campaigns. The hackers steal their victims’ account information while analyzing their contacts.

Rocket Kitten

Rocket Kitten (what’s with these cute codenames?), aka TEMP.Beanie, aka Timberworm, is a state-operated APT that focuses on espionage against Iran’s Middle Eastern enemies and internal opposition.  According to research by the cybersecurity firm Checkpoint, nearly 50% of its activity centers around Saudi Arabia[6].

The group favors spear phishing and social engineering to compromise their victims. They are noted to be unrelenting in their attacks once they set an objective. This means that even though their methods aren’t very advanced, their overall success rate is high. It only takes one employee off their game for a day to open up a vulnerability in a network.

Rocket Kitten’s most recognized achievement came in 2016 when they successfully hacked Telegram, the popular private messaging client[7]. Private communication is something very valuable in countries without free speech like Iran. Rocket Kitten exploited an account activation policy to gain access to over 20 million Iranian Telegram accounts. It undoubtedly led to a crackdown on anti-government speech.

Needless to say, these kittens have claws! There are even more APTs from Iran, and you can read a brief overview of them here.

2020 incidents

If you only read about the most publicized Iranian cyberattacks, you might think they’ve slowed down recently. In reality, 2020 was a banner year for them! Even if they didn’t grab the world’s attention at large, there were still plenty of interesting developments.

August 2020:

In August, the FBI released a statement claiming Fox Kitten uses known exploits to breach networks worldwide before the organizations can patch the vulnerabilities[8]. This means the hackers don’t even have to probe for unknown (or 0-day) exploits. They simply wait until cybersecurity professionals disclose weaknesses and move quickly to strike high-priority targets. According to the FBI, Iran breached two major companies in 2020 by using these methods. Unfortunately, the agency was not able to disclose the names of the organizations.

September 2020:

 The United States Department of Justice officially indicted three state-sponsored Iranian hackers for a series of attacks on American satellite companies[9]. It is uncertain which APT the alleged culprits belonged to, but they know at least one of them is a member of the IRGC. Posing as employees of the organization they wished to attack, they bombarded legitimate employees with emails and deceived them into clicking on infected attachments. Again, the U.S. government didn’t disclose any specific breached organizations but did say the hackers made off with intellectual property from multiple companies located in the U.S. and abroad.

October 2020:

In late October, Charming Kitten showed that Iran’s cyberwarfare division has a strong sense of irony (Iran-y?)  by attacking attendees of the upcoming Munich Security Conference[10]. They used fake emails and websites made to look like official communications from conference representatives to steal credentials and personal information. Many diplomats and attendees fell for the ruse and exposed their information to Iran’s government. Who needs a security conference when Iran is educating officials for free?

Data protection

It may not be something you think about daily, but it’s an undeniable fact we’re in a global war. It’s just a cyberwar rather than traditional aggression. The participants have replaced tanks and aircraft with computers and cellphones. This seemingly unending conflict plays out just beneath the surface of society. Civilians rarely notice, but those enlightened with the truth can see the consequences everywhere.

Malicious, state-sponsored actors battle against each other to steal secrets and confidential data from their enemies. In the case of Iran, their APTs don’t even use sophisticated techniques[11].

Most of their operations utilize open-source or publically-available software. They crack VPN and RDP programs with brute force password guessing. Their ransomware deployments are non-proprietary Ransomware-as-a-Service (RaaS) frameworks purchased from more competent groups.

In comparison to hackers in China or Russia, Iran is downright second-rate. Yet, they’re still thriving. This fact alone should be eye-opening to people and organizations around the world. It’s time to get serious about securing your data.

AXEL’s commitment

AXEL is dedicated to providing industry-leading data sharing and storage solutions. Our platform, AXEL Go, combines three state-of-the-art technologies to ensure your files are stored and shared securely. Utilizing blockchain technology, the InterPlanetary File System (IPFS), and encryption, you can finally have peace of mind that your files are private and safe. We have options for all types of users, whether for personal or enterprise roles. Download AXEL Go today for free. Our basic tier has 2GB of online storage and enough network fuel for thousands of typical shares. In the age of cyberwarfare, you need the best tools possible to protect yourself and your organization. Don’t settle for less.

 

[1] Yaghoub Fazeli, “Soleimani directly involved in suppressing Iran protests: Former IRGC General”, Al Arabiya English, Feb. 10, 2020, https://english.alarabiya.net/en/News/middle-east/2020/02/10/Soleimani-directly-involved-in-suppressing-Iran-protests-Former-IRGC-General

[2] Catalin Cimpanu, “Iranian hackers are selling access to compromised companies on an underground forum”, ZDNet, Sept. 1, 2020, https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/

[3] “Charming Kitten”, Mitre, Jan. 16, 2018 , https://attack.mitre.org/groups/G0058/

[4] “Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged with a Cyber Campaign Targeting Her Former Colleagues”, The United States Department of Justice, Feb. 13, 2019, https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber

[5] Daniel Victor and Sheera Frenkel,  “Iranian Hacker Charged in HBO Hacking That Included ‘Game of Thrones’ Script”, The New York Times, Nov. 21, 2017, https://www.nytimes.com/2017/11/21/business/hbo-hack-charges.html

[6] “Rocket Kitten: A Campaign With 9 Lives”, Check Point Software Technologies, https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

[7] Joseph Menn and Yeganeh Torbati, “Exclusive: Hackers accessed Telegram messaging account in Iran – researchers”, Reuters, July 27, 2016, https://webcache.googleusercontent.com/search?q=cache:DE8XABScILkJ:https://ar.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM+&cd=5&hl=en&ct=clnk&gl=us

[8] Catalin Cimpanu, “FBI says an Iranian hacking group is attacking F5 networking devices”, ZDNet, Aug. 10, 2020, https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/

[9] Department of Justice, “State-Sponored Iranian Hackers Indicted for Computer Intrusions at U.S. Satellite Companies”, U.S. DOJ, Sept. 17, 2020, https://www.justice.gov/opa/pr/state-sponsored-iranian-hackers-indicted-computer-intrusions-us-satellite-companies

[10] Laurens Cerulus, “Iranian hackers target top diplomats and security officials”, Politico, Oct. 28, 2020, https://www.politico.eu/article/iranian-hackers-target-munich-security-conference-crowd/

[11] Brooke Crothers, “Unsophisticated Iranian hackers armed with ransomware are targeting companies worldwide”, Fox News, Aug. 26, 2020, https://www.foxnews.com/tech/unsophisticated-iranian-hackers-armed-with-ransomware-are-targeting-companies-worldwide

Hackers Enjoy Open Season for Data

Much like open mic night at the local Giggle Barn, the hacks just keep on coming. In the last four weeks alone, there have been many developments. Here are some of the most publicized cases.

Equinix ransomware

Equinix is a large data center based in Redwood City, California. Obviously, data centers are prime targets for threat actors. They’re equivalent to banks for bank robbers. Over the U.S. Labor Day holiday weekend, hackers from the group “NetWalker” gained access to Equinix’s systems and unleashed their ransomware.

NetWalker’s payload operates similarly to other ransomware. Once it has infected a network, sensitive files are encrypted, and the hackers demand a hefty ransom to unlock them. NetWalker is interesting because there seems to be a connection to Russia in at least a semi-official capacity. One of their core tenets is not attacking entities located in Russia or the Commonwealth of Independent States. Whatever their affiliations, it’s undeniable that they have been successful recently. Since March this year, they have collected $25 million[1] in ransom.

They have demanded $4.5 million alone for the Equinix incident. It is unknown if Equinix has paid at the moment, but NetWalker has a history of dumping the affected files on black marketplaces once the deadline expires. So, it should be known soon whether they reached a deal.

$5.4 million crypto heist

On September 8th, thieves stole $5.4 million in various cryptocurrencies from the Slovakian exchange, Eterbase. The cyber bandits got away with undisclosed amounts of Bitcoin, Ethereum, Ripple, Tezos, Algorand, and TRON. They moved the stolen crypto into wallets housed on major exchanges such as Binance and Huobi.

Eterbase claims they have the capital necessary to take the hit and will reimburse any affected investor.  They have already notified the proper authorities and are working with the other exchanges to track the culprits. Heists such as this have caused other small exchanges to close in the past, so it’s good to see Eterbase holding firm.

300K WordPress sites exploited

On September 1st, those in the cybersecurity community found a critical vulnerability in specific versions (6.0-6.8) of the File Manager plugin for WordPress. When exploited, it allows malicious actors to run unauthorized code. While the exploit was closed quickly with the release of version 6.9, analysts conclude that up to 300,000 websites are still susceptible.

Since finding the exploit, hackers have been probing WordPress sites non-stop. In a strange twist, many hackers have found themselves fighting off other hackers after gaining illicit access to a site. Hackers hacking hackers.

If you run a WordPress website with the File Manager plugin, please check to ensure you’re running version 6.9 (or higher if you’re reading this in the future). If not, update immediately.

Argentinian government attacked

NetWalker sure is busy! Less than two weeks before the Equinix attack, the hacker gang disrupted operations of Argentina’s national immigration agency.  On the morning of August 27th, workers for the agency noticed that certain Windows files and shared folders were inaccessible. It resulted in a momentary closure of border stations throughout the country while they contained the breach.

NetWalker demanded $2 million to restore access, then upped it to $4 million when the deadline passed. Argentinian officials aren’t worried, however. They say they will refuse to negotiate with the group and don’t intend to recover the compromised information.

Russian arrested for trying to bribe Tesla employee

This story isn’t about a successful attack, but the attempt is so fascinating it needed a mention. On August 22nd, FBI authorities arrested a Russian man for attempting to bribe a Tesla employee. Egor Igorevich Kriuchkiv offered the worker $1 million to install ransomware on the electric car manufacturer’s internal servers.

Luckily, the Russian-speaking employee did not take up Egor’s offer, instead opting to notify law enforcement. A sting operation led by the FBI eventually resulted in the would-be hacker’s arrest.

It’s nice to see a foiled plot instead of a multimillion-dollar ransom every once in a while.

Iranian hacker group sells admission to compromised networks

This month, intelligence experts revealed that a hacker gang supporting Iran’s Ministry of Intelligence is selling access to international corporate networks on the Dark Web. The group is known as Pioneer Kitten, aka Fox Kitten, aka PARISITE, and is notorious in the global cyber intelligence community. First identified in 2017, Pioneer Kitten typically attacks VPN exploits to gain access to sensitive information deemed as useful intelligence by Tehran.

Starting in late July, the group began selling access to corporate and government networks throughout the world. This included compromised systems in countries such as the United States, Israel, Australia, France, Germany, the United Arab Emirates, and more. The attacks centered around tech, defense, and healthcare organizations, all of which store vast amounts of confidential data.

Analysts believe the sale of this high-value intelligence information would not be permitted by the Iranian government, leading to speculation that the group is not an official state entity, and only contracted by Tehran.

The University of Utah suffers a ransomware attack

On August 19th, The University of Utah admitted hackers carried out a successful ransomware attack in late July. The malicious agents encrypted student information on the College of Social and Behavioral Science’s servers. In the end, the university paid out over $450K to prevent the data from leaking to a Dark Web marketplace.

A representative for the university confirmed that a cybersecurity insurance policy paid the sum and that no taxpayers were on the hook. The rep also claimed the hack did not affect any central servers.

While it did not end up being a multimillion-dollar incident like other high-profile attacks, the use of cybercrime insurance is noteworthy. The trend of commonplace insurance is likely to continue as more attacks occur. Ironically, organizations known to have policies may become higher-priority targets, since hackers assume they will receive a payout.

1TB data stolen from liquor manufacturer

Brown-Forman, a United States spirits and wine conglomerate, announced in mid-August that they experienced a 1TB data breach. The parent company of brands such as Jack Daniels, Korbel wine, and Finlandia vodka fell victim to infamous hacker group REvil. Also known as Sodinokibi, REvil has many well-known incidents under their digital belts, including attacks against pop-star Lady Gaga and U.S. President Donald Trump.

The hackers gained access to many confidential documents, including business contracts, financial statements, and employee information. It could have been worse for the beverage giant; however, as the criminal syndicate was not able to encrypt any data. Nonetheless, REvil threatened to sell the information online if they did not receive a hefty ransom. Brown-Forman does not appear to be cooperating. At AXEL, we believe this hardball approach is the right one. Do not negotiate with terrorists.

Canon’s stolen files leaked

In early August, the camera and photo-equipment manufacturer, Canon, underwent a Maze ransomware attack. It was so bad, their image.canon website was down for six days. Canon refused to pay and was evidently able to unlock a portion of the infected files.

Then, on August 14th, the Maze gang released 5% of their ill-gotten data treasure to the internet. Their website claims it was only 5% of the files they have. It’s been a month since the leak, and there hasn’t been any further news on the subject. This leads some to believe Canon acquiesced and paid not to have more information revealed.

Data security

As you probably noticed, hacking is big business these days. With the recent proliferation of remote desktops, sophisticated phishing attacks, and cybercrime insurance policies, it doesn’t appear that it will end any time soon.

That’s why individuals and businesses alike need robust, secure data storage and sharing solutions. AXEL Go is the best application to fit these needs. AXEL Go allows for private, secure storage and sharing. Based on IPFS and blockchain technology, users receive high performance and protection not seen in other platforms. Optional AES-256 bit password encryption locks things down even further to prevent any unauthorized access. Try out our full-featured Basic service for free.

 

[1] Catalin Cimpanu, “NetWalker ransomware gang has made $25 million since March 2020”, ZDNet, Aug. 3, 2020, https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/#:~:text=The%20NetWalker%20gang%20has%20established,dangerous%20ransomware%20groups%20out%20there.&text=The%20operators%20of%20the%20NetWalker,security%20firm%20McAfee%20said%20today.