The National - News

‘Iranians behind hack on Saudi, US and South Korean industries’

▶ Dubai cyber crime summit told of attack group’s links to Tehran

- NAWAL AL RAMAHI

A gang of hackers working in Iran for the Tehran government is probably behind attacks on American, Saudi Arabian and South Korean aviation and energy companies, a cyber-security company said yesterday.

The report by FireEye, which uncovered the hackers, said they left behind a new type of malware that could have been used to destroy the computers it infected.

It appears to mirror two other attacks attributed to Iran that targeted Saudi Arabia in 2012 and last year, and destroyed computer systems.

“The gang, dubbed APT33, is believed to have links to the Iranian regime,” Stuart Davis, director of global intelligen­ce at FireEye, said in Dubai.

“Since the middle of 2016 until early 2017, APT33 members managed to hack into several organisati­ons and companies in the three countries.”

FireEye revealed details about a hacking group that infiltrate­d an aerospace company in the US, a trade group with shares in Saudi aviation and a petrochemi­cal company in South Korea. Mr David said the targets indicated that APT33, which stands for “advanced persistent threat”, may be looking to gain insights into Saudi Arabia’s air force and its capabiliti­es.

The group hacks into companies to gain informatio­n that could inform decisions related to petrochemi­cal production.

“They used malicious files to lure their victims and make them believe that they have vacancies and then solicit highly confidenti­al informatio­n,” Mr Davis said.

FireEye said APT33 used phishing email attacks with fake job opportunit­ies to gain access to the companies affected, and phoney domain names to make it look like the messages came from Boeing or defence contractor­s.

They stayed inside the computer systems for four to six months at a time to steal data and leave behind the malware that FireEye calls Shapeshift­er. The coding contains Farsi-language references, FireEye said.

Timestamps in the code also correspond to hackers working from Saturday to Wednesday, which is the working week in Iran, Mr Davis said.

The programs used in the campaign are popular with Iranian coders, servers were registered through Iranian companies and one of the spies appears to have accidental­ly left his online handle, “xman_1365_x,” in part of the code.

The hacker has been linked to the Nasr Institute – reportedly Iran’s “cyber army” controlled by Tehran.

?? Pawan Singh / The National ?? Mohamad Amin Hasbini, senior security researcher for global studies and analysis at Kaspersky Lab, at the cyber-security summit in Dubai yesterday
Pawan Singh / The National Mohamad Amin Hasbini, senior security researcher for global studies and analysis at Kaspersky Lab, at the cyber-security summit in Dubai yesterday

Newspapers in English

Newspapers from United Arab Emirates