An elite team of Iranian state-sponsored hackers successfully infiltrated hundreds of thousands of employee accounts at US companies and government agencies, according to the Feds, as part of a multiyear cyber espionage campaign aimed at stealing military secrets.
The US Departments of Treasury and State are among those compromised in the elaborate campaign, which lasted from 2016 to 2021 according to a US Justice Department indictment unsealed this week. Various defense contractors with high-level security clearances, a New York-based accounting firm, and a New York-based hospitality company were also affected, according to the documents. In all, more than a dozen entities and hundreds of thousands of employee accounts were compromised in the attacks, including more than 200,000 accounts at the hospitality victim.[1]
Four Iranian nationals including one alleged member of the government's Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare division have been indicted for the attacks. The defendants are accused of posing as an Iran-based company that purported to provide "cybersecurity services" in a series of spear phishing overtures to their targets. Their aim was to trick email recipients into clicking on a malicious link that executed an unnamed custom malware and allowed account takeover.
In one case, hackers managed to allegedly take over an administrator email account at a defense contractor, which they then used to create other unauthorized accounts in order to send spear phishing emails to employees of a different defense contractor and a consulting firm. In some cases, they also successfully posed as women interested in romantic connections, targeting victims through social media connections. This gambit was also aimed at eventually deploying malware onto victim computers, according to the indictment.
Both approaches align with Iran's long-standing Method of Operation (MO) of creating clever social-engineering campaigns to gain targets' confidence. A recent Charming Kitten effort for example involved the creation of an entire phony webinar platform to compromise its targeted victims. In general, Iran-nexus threat actors are "more advanced and more sophisticated by a significant margin" in their social-engineering efforts, according to Steven Adair, co-founder and president of Volexity https://www.volexity.com speaking after disclosing the Charming Kitten campaign. "It's a level of effort and dedication ... that is definitely different and uncommon."
See: https://redskyalliance.org/xindustry/charming-kitten-s-new-malware
In the campaign revealed recently, once the accounts were compromised, the hacking team allegedly used a complex back-end infrastructure and a custom application called "Dandelion" to manage the attack. Dandelion provided a dashboard that enumerated the victims, their IP addresses, physical locations, Web browsers, and OS, whether they clicked on the malicious spear phishing links and whether the accounts should be targeted for further activity.
The Justice Department did not publicize many other details on the effort; nor did it reveal whether the state-sponsored attackers were able to access and steal classified data. The level of compromise they were able to achieve in the five years they lurked within the high-value networks remains unclear.
Unfortunately, jailtime will likely not be on offer in the event of a conviction in the case: Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) all remain at large. The State Department is offering a reward of up to $10 million for information that could help with their apprehension.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.darkreading.com/cyberattacks-data-breaches/iran-dupes-military-contractors-govt-agencies-cybercampaign
Comments