Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says
The worlds of politics and business often intersect in the physical world, and the realm of cyberspace is no different. This was probably no clearer than in 2013, which saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much of the talk about cyberespionage and attacks on the US has often centered on China, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.
“Although Iran has long been considered a second-tier actor behind China and Russia, recent speculation has focused on Iran’s interest in perpetrating offensive network attacks against critical infrastructure targets,” according to the report. “Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of two energy companies, Saudi Aramco and the Qatar-based RasGas. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus, widely believed to have been the work of the U.S. and Israel.”
The energy sector in fact was one of the principal targets of many of the attacks suspected to be linked to Iranian-based hackers. Compared to hacking activities tied to China, the attacks seem less sophisticated. In the case of the Iranian-based attacks, the hackers tend to use publically-available tools rather than customized ones. They are only able to maintain a presence on compromised networks for an average of 28 days, compared with 243. In addition, 75% of the breaches suspected to be tied to Iranian hackers were detected by the victims, as opposed to 33% of attacks linked to China.
“What we did observe was activity consistent with network reconnaissance,” says Laura Galante, manager of threat intelligence at Mandiant. “These suspected Iran-based actors are able to compromise a network — albeit relying on victim networks with outdated vulnerabilities — and have gained local administrator access.”
“If these activities were simply capability tests for these actors then we would expect further probes and network reconnaissance in 2014,” Galante continues. “If the ability to compromise a network was the ultimate goal of the actors’ mission, then we believe the actors would be satisfied with their current level of success. The analytic problem is that we don’t know what the actors’ end goal was, so currently either scenario is equally plausible. As stated in the report, we don’t have indications that these actors are particularly adept at developing tools nor do they have a discernible focus after they have compromised a network.”
The Syrian Electronic Army (SEA), however, does appear to have a goal — gaining the public’s attention. The group has done this quite well. Since its inception in 2011, the SEA has successfully compromised more than 40 organizations, mainly websites and social media accounts belonging to major new agencies in the West, Mandiant reported.
“Mandiant’s observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations,” according to the report. “Mandiant believes the SEA will continue to penetrate high-profile targets in an effort to increase publicity for the Syrian regime and demonstrate support for its embattled president, Bashar al-Assad. Although these SEA intrusions have resulted in little more than websites defaced with the SEA logo and images of Assad, they have nonetheless brought the group to the world’s attention. More significantly, they have increased fear of cyber compromise among governments and corporations alike.”
The political attacks on news sites are part of an overall trend of attacks the firm observed during the year. Attacks on media and entertainment companies rose to 13% from 7% during 2012, according to the report.
“This uptick reflects the newer actors who have expanded the playing field,” explains Galante. “Groups like the SEA… hit media targets to further a political agenda and probably with the hopes of gaining news coverage.”
“2013 was an explosive year for the cybersecurity industry[,] a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents,” blogged Helena Brito, social manager at Mandiant. “In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention.”
Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a … View Full Bio