Hackers target energy, aviation
Security experts point fingers at Iran
A suspected Iranian hacking group has been targeting aviation and energy companies in the United States, Saudi Arabia and South Korea since 2013, computer security company FireEye said in a report released Wednesday.
The group seems largely to have engaged in stealth spying to give Iranian military and corporate interests information about possible enemies and competition. However, the researchers also found signs of a data-destroying program capable of wiping disks, erasing volumes and deleting files.
During its investigation, Fire Eye, based in Milpitas, Calif., found signs of links to malicious software called SHAPESHIFT, which is capable of destroying data within a company’s network. FireEye said it had not directly observed the hackers carry out any destructive operations, but the capability appears to be present.
A hugely destructive cyber attack in 2012 against Saudi Aramco, one of the world’s largest oil companies, erased data on more than 75% of the company’s computers. U.S. officials later blamed Iranian hackers
for the attack.
“Nation states are increasingly laying the groundwork for future disruptive and destructive attacks — planting the seeds they can harvest as needed in the future,” said Galina Antova, co-founder of Claroty, a New York-based company that secures industrial control systems.
The group, which FireEye dubbed “APT33,” has shown particular interest in commercial and military aviation companies as well as energy companies tied to petrochemical production.
APT stands for Advanced Persistent Threat, in which attackers gain access to a network and covertly gather information rather than seeking to damage the network or the organization.
Between mid-2016 through early this year, APT33 used job recruitment phishing emails directed at higher-level employees to compromise an unnamed U.S. aerospace company and targeted a Saudi Arabian business conglomerate with aviation holdings, the report said. The group registered multiple Internet addresses so it could masquerade as legitimate firms to launch its attacks.
The same group also targeted a South Korean company with interests in oil refining and petrochemicals, FireEye said. South Korean energy companies have business relationships with both Saudi Arabian and Iranian petrochemical companies.