Iran-linked cyber spies use simple yet effective hacks: report

Reuters

July 25, 2017

Image may contain: one or more people, night and laptop

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo REUTERS

TEL AVIV (Reuters) – A cyber spying group with links to Iran and active for the past four years is targeting countries including Israel, Saudi Arabia, Germany and the United States, security researchers said on Tuesday.

A new report by Tokyo-based Trend Micro  and ClearSky of Israel detailed incidents as recently as April of this year involving a group known as “CopyKittens”.

The group targets its victims using relatively simple techniques like creating fake Facebook pages, corrupting websites or Microsoft Word attachments with a malicious code, according to the report.

It was seen impersonating popular media brands like Twitter, Youtube, the BBC and security firms such as Microsoft, Intel and even Trend Micro.

“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” the researchers said in a statement.

“These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly,” they said.

Iranian officials were not available for comment.

Image may contain: 7 people

Ayatollah Khameini, the Iranian Supreme Leader, pictured at a military parade

The report itself does not link the group to Iran. As a matter of company policy, Trend Micro research into state-backed attacks focuses on technical evidence and forgoes political analysis.

However Clearsky researchers told Reuters that CopyKittens was “Iranian government infrastructure,” adding that the use of “kitten” in the industry indicates Iranian hackers, just as “panda” or “bear” refer to Chinese and Russians, respectively.

CopyKittens is distinct from another Iran-based cyber spy group dubbed Rocket Kitten, which since 2014 has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the United States and Venezuela.

CopyKittens has been operating since at least 2013, according to the report, though its activities were first exposed publicly in November 2015 by ClearSky and Minerva Labs. Earlier this year, ClearSky wrote another paper detailing more hacking incidents that affected some members of Germany’s parliament.

Eyal Sela, head of threat intelligence at ClearSky, said that once an initial hack against a government or commercial target is successful, CopyKittens uses that access to then attack other groups, though it tries to remain very focused.

As recently as late April, the group breached the email account of an employee in the Ministry of Foreign Affairs in Turkish Cypriot-controlled northern Cyprus and then tried to infect multiple targets in other governments, the report said.

Another time it used a document, likely stolen from Turkey’s Foreign Ministry, as a decoy.

Reporting by Tova Cohen, Ari Rabinovitch and Eric Auchard; Editing by Richard Balmforth

Related:

*******************************************

No automatic alt text available.

A prominent U.S. cyber warfare expert has admonished other cyber security experts for exaggerating the danger posed by Iran’s cyber warfare and espionage organisations and entities.

Dr. Brandon Valeriano, a Reader at Cardiff University in Wales and author of Cyber War versus Cyber Realities published by Oxford University Press in 2015, told the U.S. Senate’s Homeland Security and Governmental Affairs Committee on May 10, 2017, in Washington, DC, that Iran’s cyber warfare and espionage capabilities are inferior when compared to the capabilities of countries such as the United States, Israel, Russia, China, and those of a number of European countries.

“Iran is thought to be a serious and sophisticated cyber actor but evidence suggests the contrary to this conclusion,” Dr. Valeriano told U.S. Senators.

Citing the 2012 Shamoon cyber attacks against Saudi Arabia’s Aramco and Qatar’s RasGas thought to have been carried out by Iran, Dr. Valeriano said, “The Shamoon attacks on Saudi Arabia’s Aramco systems were destructive, but did not impede operations or wipe out critical information. Likely launched in response to the Stuxnet operation, it is also telling that the response by Iran was not to attack the alleged perpetrators directly, but to go after an ally indirectly, Saudi Arabia.”

Dr. Valeriano’s assessment is in line with other studies on Iran’s strategic behaviour that note Tehran’s preference to use indirect methods against its adversaries and avoid open conflict with militarily superior powers such as the United States and Israel.

Referencing the recent attempted espionage operation against Israeli targets by the Iranian-linked OilRig hacker group, as well as cyber-attacks carried out by other Iranian cyber proxies against U.S. financial institutions over the past few years, Dr. Valeriano pointed out that Iran’s cyber operations have been less than impressive:

Recent attacks on Israel have been reported as another telling aspect of the sophistication of Iranian cyber operations, but the reality is that the state was using released malware from the Shadowbrokers info dumps and spear phishing techniques. Similar attacks on U.S. networks have failed more often than succeeded as well. To argue that these are sophisticated attacks betrays our ability to judge information and impact in cyber security operations.

Similarly, the ongoing Shamoon II attacks against Saudi Arabian targets, again thought to be carried out by the OilRig hacker group, are underwhelming when compared to the sophisticated, effective, and even damaging cyber operations carried out by the likes of China and Russia. Dr. Valeriano noted that, “Ongoing attacks on industrial and financial networks have recently been dubbed Shamoon 2. Reports highlight that the new version of the operation builds on the 2012 attacks on Saudi oil networks and reuses 90 percent of the known code. This is not a highly new or original operation, but a continuation of old methods because targets are slow to update their systems and patch known vulnerabilities.”

Dr. Valeriano’s assessment is certainly at variance with that of many officials and analysts. Recently, for example, the U.S. Director of National Intelligence, Dan Coats, told U.S. Senators that:

Tehran continues to leverage cyber espionage, propaganda, and attacks to support its security priorities, influence events and foreign perceptions, and counter threats—including against US allies in the region. Iran has also used its cyber capabilities directly against the United States. For example, in 2013, an Iranian hacker conducted an intrusion into the industrial control system of a US dam, and in 2014, Iranian actors conducted a data deletion attack against the network of a US-based casino.

Such assessments have become the norm among officials and cyber security analysts in the West and Israel, making Dr. Valeriano’s assessment one to seriously consider if only because it is at odds with the dominant narrative on Iran’s cyber warfare and espionage capabilities.

Yet while Dr. Valeriano’s assessment questions the notion of Iranian sophistication and notoriety in cyberspace operations, it is also possible to underestimate their determination and persistence. Writing recently in The New York Times, correspondent Nicole Perlroth notes that, “By most accounts, these [Iranian-linked OilRig] hackers could best be described as the “B Team,” not nearly as sophisticated as the Chinese, Russian or Eastern European hackers whom security firms have been monitoring for more than a decade. But what OilRig’s hackers lacked in sophistication, they made up for in determination. They did their research. They were patient. When they were caught, they would wait for the dust to settle before trying again.”

It should also be pointed out that Iran has demonstrated a particular sophistication in information operations, which are often cyber-enabled, in Syria, Iraq, Yemen, Lebanon, and Bahrain, something that is rarely noticed in the West where attention is often focused on Iran’s often symbolic and indirect cyber warfare and espionage operations.

For Dr. Valeriano, however, the real danger in Iranian cyber operations lurks not so much in their capabilities and direct action, but in their prevalent use of cyber proxies. In his testimony to U.S. Senators, he said, “The main danger from Iran, just as it is in the terrorism threat vector, is the high probability that Iran will use proxy actors to attack Western targets. Enabling these actors, one group being called the Syrian Electronic Army, might be dangerous if Iran was to transfer technology to these groups who could then use known vulnerabilities in their operations.”

“But for now, Iran seems content to harass American allies, probe American networks, and reuse old malware to attack unprepared targets,” he concluded.

Original published at: https://spacewatchme.com/2017/05/analyst-irans-cyber-warfare-capabilities-concern-hardly-sophisticated-dangerous/

https://spacewatchme.com/2017/05/analyst-irans-cyber-warfare-capabilities-concern-hardly-sophisticated-dangerous/

Advertisements

Tags: , , , , , , , , , , , , , , , , , , , , , , , ,

One Response to “Iran-linked cyber spies use simple yet effective hacks: report”

  1. daveyone1 Says:

    Reblogged this on World Peace Forum.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: