Posted on September 21, 2017 at 4:44 PM
A group of Iranian hackers has been doing covert espionage on the US, Saudi Arabian, and South Korean aviation and energy industries.
An Iranian hacking group has recently been exposed of targeting major aviation and Energy Corporation in the United States, Saudi Arabia, and South Korea. The hacking activity is suspected to have been ongoing since 2013, according to information security firm, FireEye.
The hacking group’s focus in mainly covertly gathering information from the affected companies, and then communicating this information to the Iranian military, as well as corporate institutions with Iranian interests. According to director of intelligence analysis at FireEye, John Hultquist, FireEye has also uncovered software capable of destroying data, wiping disks, erasing volumes, and deleting files. The origin of this software has been traced to the Middle East.
The data-destroying software called SHAPESHIFT can erase all data in a company’s network. While FireEye researchers have not yet seen this in action, they do warn that the capability is present in the software.
According to Hultquist, the fact that they haven’t used software to delete any data yet has more to do with their instruction than their capabilities. Hultquist seems to think that hackers are purely following orders.
This is not the first attack of this kind. In 2012, Iranian hackers were blamed for erasing over 75% of leading oil company, Saudi Aramco’s, data.
Similarly, another attack blamed on Iranian attackers happened in 2014, where a malicious attack completely wiped the Sands Hotel and Casino’s systems. The company suffered millions of dollars’ worth of damage.
According to Claroty co-founder, Galina Antova, nation states will be the most innovative when it comes to hacking techniques and malicious attacks in the future. As this will allow them to gain sensitive information and reap the rewards of any damage they cause.
Campaigns, such as the latest Iranian hacks, are laying the brickwork for causing damage and disruption in the future, should it be necessary.
Hultquist cautioned that the lack of attacks, should not be considered as a sign of safety.
For now, the Iranian group might only be collecting information. However, they do have the ability to attack. The challenge right now, according to Hultquist, is to acknowledge the danger, anticipating an attack, and create a protection against vulnerable data.
The Iranian group, APT33, as FireEye researchers have dubbed them, seem mostly interested in commercial and military aviation corporations, as well as energy companies, specifically with ties to petrochemical production.
Since mid-2016, APT33 has used job recruitment phishing emails that they directed at higher-level employees. These emails enabled them to compromise a US aerospace company, as well as a Saudi Arabian conglomerate, with shares in the aviation industry.
In addition, APT33 registered several internet domains which allowed them to look like they came from a legitimate business. Some companies targeted included, Boeing, Northrop Grumman Aviation Arabia, Alsalam Aircraft Company, and Vinnell Arabia.
APT33 has also targeted companies in South Korean. These companies all had shares and interests in the energy industry, particularly the oil refining and petrochemical industry. The targeted South Korean companies all have business relationships with petrochemical companies in the Middle East.
According to FireEye researchers, there could be a number of reasons why APT33, chose to target these specific companies.
This could be an industrial espionage attempt in order to enhance Iran’s own aviation industry. It could also be to gather information for the Iranian military, which would greatly aid their decision-making. Lastly, it is considered that the espionage could be to gather enough information on its Saudi Arabian petrochemical competitors, to gain a leading edge.
FireEye researchers have speculated that this latest hack was at the command of the Iranian government, considering the strategic companies targeted. The speculations have more than enough grounds as hacking activities in such highly monitored regimes such as Iran are usually backed by the government.
While the commands may not come directly from a governmental office, they could be operating within the general best interest of Iran.