Categories: SecurityWorkspace

Iran Hackers ‘Hitting Dissidents And US Defence’

Security researchers have noted a rise in the sophistication of digital attacks stemming from Iran, after incidents involving US defence and dissidents within and outside the country.

In particular, a group known as the Ajax Security Team has been carrying out website defacements since 2010, but has moved to malware-based attacks in recent months.

Iran hitting up dissidents

It has targeted Iranian users of anti-censorship technologies that bypass Iran’s Internet filtering system, such as Psiphon, Ultrasurf, Proxifier and GerdooVPN.

Looking at the command and control infrastructure for malware samples that were disguised as anti-censorship tools, FireEye researchers found 77 victims. Most appear to have been based in Iran itself.

Typical social engineering tactics have been used by the Ajax team. In one case, a fake page for the 2014 the IEEE Aerospace Conference was set up as a lure to trick targets into installing malware.

Convincing password phishing pages have been created by the hacking crew too, including fake Outlook Web Access and VPN login sites.

The hackers are using their own malware, written in .NET, which they’ve named “Stealer”. It collects system information, takes screenshots, carries out keylogging and pilfers usernames and passwords.

Iran has been growing its cyber capability since the Iranian Cyber Army emerged in 2009. It’s also believed Iran has been heavily investing in digital offence and defence partly because of the Stuxnet attacks that disrupted one of the country’s nuclear plants in the late 2000s, as revealed in 2010.

“We believe that Iran is increasingly reaching to hacker groups within the country,” Nart Villeneuve, senior threat intelligence researcher at FireEye, told TechWeekEurope.

“The capabilities of the Ajax Security Team are unclear — they have used a variety of clever social engineering techniques to deliver their malware, the malware itself is not publicly available but the malware’s overall capability is somewhat limited. That said, it provides all the functionality they need to conduct successful attacks.

“Public statements by both US and Iranian officials indicate that Iran is pursuing both offensive and defensive cyber capabilities.”

FireEye suspects some members of the Ajax crew are also involved in cyber crime. One member, HUrr!c4nE!, has been “flagged for possible fraud” against a retailer, according to the researchers.

How well do you know network security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago