Iranian hacks on Gulf energy firms increase
An Iranian hacker group has stepped up its cyber espionage operations against GCC companies in the energy sector since US President Donald Trump withdrew from a nuclear deal and reimposed sanctions on Tehran’s economy.
Security company FireEye released its latest research yesterday, which showed how the hacker group APT33, which it believes to be linked to the Iranian government, has targeted Middle East companies as well as organisations from the United States and Japan across business sectors including utilities, insurance, manufacturing and education.
The hacker group sent spear-phishing emails to its targets between July 2 and July 29. In the emails, the group disguised its messages as mail from a Middle East oil and gas company, which was not identified by FireEye.
In response to a question from The National, the company said “GCC states” were targeted by the group, but declined to be more specific.
“In July, we observed a significant increase in activity from this Iran-affiliated APT group,” Alister Shepherd, Middle East and Africa director for Mandiant, a consulting arm at FireEye, said yesterday. “The APT33 operation primarily focused on the energy sector, which has been affected by recent sanctions that were placed on Iran.”
The company recorded a 10-fold increase in phishing emails “from a small number
to a large volume”. It said it expected the operations to continue, targeting the same sectors, as the sanctions continue to bite.
The company said it had a high degree of certainty that the hacker group was linked to Iran.
“We are confident in the Iranian government link. This is based on four years of tracking activity,” Mr Shepherd said.
The timing of the group’s activities was one of the indicators that they were based in Iran. Its operatives primarily worked “Saturday through Wednesday ... which fits with the Iranian week. When it happens consistently over time that’s a strong indicator,” the FireEye executive said.
The security company also said the Farsi language was used in some of the hacker group’s coding. It said the phishing was not a false-flag operation, as the company’s tracking involved “actively watching the attacker come in and do their work”.
This year, the United States withdrew from the nuclear deal signed between Tehran and world powers in July 2015 that sought to limit Iran’s nuclear programme in return for the lifting of sanctions. US President Donald Trump reimposed those sanctions in August, with a second wave of sanctions expected in November.
The US has threatened secondary sanctions on any country doing business with Iran.
“The motivation behind the operation is uncertain, but it’s possible that the attackers were using spear phishing to [steal] intellectual property or to subsequently cause disruption in retaliation to the sanctions,” Mr Shepherd said.
“It’s imperative for companies to ensure they are capable of quickly detecting and responding to these intrusion attempts.”
The security company pointed to several trends that it said indicated the hacker group was linked to the Iranian government.
One of the individuals attempting to spread APT33 malware was a prominent figure on Iranian hacktivist forums and had links to the Nasr Institute, widely believed to be Iran’s “cyber army”.
The group’s targeting of companies in the aerospace and energy industries align with Iranian state interests.
To carry out its operations, APT33 used hacker tools popular with other suspected Iranian threat groups and used Iranian hosting companies.
Last month, FireEye revealed the breadth of Iran’s disinformation efforts on social media, using fake accounts to promote its agenda and oppose western policies it believes harms Iranian interests.
A tip-off from FireEye pushed Facebook, Google and Twitter to remove dozens of accounts suspected of links to the Iranian propaganda campaign.
Material spread by the accounts included articles opposing US President Donald Trump, and others supportive of politicians who oppose western policy on Iran, including British opposition leader Jeremy Corbyn.