‘Iranians behind hack on Saudi, US and South Korean industries’
▶ Dubai cyber crime summit told of attack group’s links to Tehran
A gang of hackers working in Iran for the Tehran government is probably behind attacks on American, Saudi Arabian and South Korean aviation and energy companies, a cyber-security company said yesterday.
The report by FireEye, which uncovered the hackers, said they left behind a new type of malware that could have been used to destroy the computers it infected.
It appears to mirror two other attacks attributed to Iran that targeted Saudi Arabia in 2012 and last year, and destroyed computer systems.
“The gang, dubbed APT33, is believed to have links to the Iranian regime,” Stuart Davis, director of global intelligence at FireEye, said in Dubai.
“Since the middle of 2016 until early 2017, APT33 members managed to hack into several organisations and companies in the three countries.”
FireEye revealed details about a hacking group that infiltrated an aerospace company in the US, a trade group with shares in Saudi aviation and a petrochemical company in South Korea. Mr David said the targets indicated that APT33, which stands for “advanced persistent threat”, may be looking to gain insights into Saudi Arabia’s air force and its capabilities.
The group hacks into companies to gain information that could inform decisions related to petrochemical production.
“They used malicious files to lure their victims and make them believe that they have vacancies and then solicit highly confidential information,” Mr Davis said.
FireEye said APT33 used phishing email attacks with fake job opportunities to gain access to the companies affected, and phoney domain names to make it look like the messages came from Boeing or defence contractors.
They stayed inside the computer systems for four to six months at a time to steal data and leave behind the malware that FireEye calls Shapeshifter. The coding contains Farsi-language references, FireEye said.
Timestamps in the code also correspond to hackers working from Saturday to Wednesday, which is the working week in Iran, Mr Davis said.
The programs used in the campaign are popular with Iranian coders, servers were registered through Iranian companies and one of the spies appears to have accidentally left his online handle, “xman_1365_x,” in part of the code.
The hacker has been linked to the Nasr Institute – reportedly Iran’s “cyber army” controlled by Tehran.