New hacking threat from Iran detected, cyber firm says

Photo illustration: Yahoo News; photos: Getty, AP
Photo illustration: Yahoo News; photos: Getty, AP

Tel Aviv, ISRAEL — New research released today by the cybersecurity firm FireEye identifies a new Iranian hacking group targeting telecommunications companies and transportation companies to gather information on individuals. The new group, designated Advanced Persistent Threat 39, is based in Iran and is suspected to be state sponsored, according to a senior researcher with FireEye.

“APT39 is an Iranian cyber espionage actor that FireEye intelligence has tracked since November of 2014,” Ryan Whelan, a senior manager for strategic intelligence operations at FireEye, announced Tuesday at a cyber conference in Tel Aviv. “We assess APT39’s principal activities is to conduct operations to support Iranian operations in other areas and by other groups, or other organizations.”

Whelan said FireEye had tracked the group for more than four years and was confident it was Iranian, based on Persian-language intercepts and domain registries linked to Iran.

APT39’s targeting is global, but the “majority of [its] operations are centered in the Middle East,” including Israel, Whelan said.

In a blog post the company posted Tuesday morning, FireEye says “APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.” The group appears to be gathering information on people as a way to launch further operations.

In 2017, FireEye identified another group, called APT34, that was also targeting organizations involved in critical infrastructure in the Middle East. The overlap of this new group with APT34, as well as other Iranian-government associated groups, suggests this one is “state operated,” Whelan said.

FireEye believes his new group is distinct from APT34, “but they do share similarities and resources within the Iranian apparatus,” he said.

Among other similarities, both APT34 and APT39 were using the names of famous Iranian film directors to register domains. Those directors “are not complicit,” Whelan said.

APT39 was mainly focused on stealing personal data, according to Whelan. “This differentiates them from previous Iranian APT actors,” he said.

While the group has targeted transportation and telecom firms, Whelan said one of the ultimate targets appears to be a “specific Middle Eastern oil and gas company,” though he didn’t name it. He said the attackers penetrated a telecom company and ran search on customer logs and employee data for the oil and gas company. Whelan said it appeared that the hackers were trying to obtain information that could be commercially useful.

But what appears to be most striking about this new group is its focus on collecting intelligence on individuals, which has been a priority of other recent suspected state-sponsored hacks. That appears to have parallels to other attacks, according to John Hultquist, who manages intelligence analysis at FireEye.

“It’s useful to compare this actor to the Chinese one who targeted [U.S. Office of Personnel Management], insurance, travel for similar reasons,” Hultquist wrote to Yahoo News.

“Iran’s interest in the cyber domain is consistent with its preference for asymmetric and indirect conflict while disguising its hand,” said Behnam Ben Taleblu, a research fellow at the Foundation for Defense of Democracies in an interview with Yahoo News.

“However, stealing personal information and penetrating networks, as reported of APT39, offers Iran an array of targets for future exploitation should the regime need to escalate against the West,” he continued.

The Iranian Interests Section at the Pakistani Embassy, Iran’s consular representation in the U.S., did not respond to a request for comment on the new research.

The Trump administration has ramped up its rhetoric against Iran in recent months. In 2018, President Trump announced his intention to end the multilateral nuclear pact, and the White House is currently in a battle with European allies over the imposition of sanctions on Tehran.

“We are aware of reports claiming that Iran is increasing its cyber hacking activities,” a State Department spokesperson wrote in a statement.” The United States is deeply concerned with the Iranian regime’s malicious cyber activity. We express particular concern for cyber activities targeting critical infrastructure that have the potential for disruptive or destructive consequences.”

_____

Read more from Yahoo News: