The security firm has tracked one suspected Iranian group, Ajax Security Team - led by hacker ‘HUrr!c4nE!', that used a fake 2014 IEEE Aerospace Conference web page to infect people with ‘Stealer' Trojan malware to capture user credentials, steal documents and gain access to company networks.
FireEye has not identified the victims or data lost in this attack, but says Ajax is also targeting people opposed to Iran's repressive regime, by planting malware in anti-censorship tools which has netted 77 victims.
But Ajax is not just acting on behalf of the Tehran Government - one member has also been perpetrating banking fraud, FireEye told SCMagazineUK.com.
The escalation in Iran began after the 2010 Stuxnet attack on Tehran's nuclear development programme, leading to Ajax becoming the first Iranian group to engage in full-on cyber espionage in 2013 and 2014.
Jason Steer, FireEye director of technology strategy, said this mimics trends seen in China and in Syria with the ‘successful' development of the Syrian Electronic Army.
He told SCMagazineUK.com: “There is a co-ordination between these probably hobbyist attackers previously in Iran, realising that if they work with the Government, not only do they get protection and all the resources they need to help them, they can also probably do some of the other things they want to do under that umbrella of protection.
“That's the bit that's interesting - we can see one of the individuals in the Ajax Security Team has also been perpetrating banking fraud. Clearly he's enjoying the benefit of protection from the Iranian Government whilst perhaps being enabled on behalf of the Government to perpetrate some of these attacks against the defence base and other targets that they perceive they want to challenge or disrupt.”
Asked if UK defence firms were at risk, Steer said: “The samples that we've seen have all linked back to US-targeted organisations but that probably will change at some point. The industrial base in the UK is quite strong as is the economy and one can imagine that they are equally a target for Iranian organisations.”
FireEye's report on the threat, titled Operation Saffron Rose, said the attacks are based on the Stealer Builder backdoor malware and a second tool that encrypts the material collected. Ajax is using malware tools that do not appear to be publicly available or in use by any other threat groups, the report says.
It stressed: “The relationship between these groups and the Iranian government remains inconclusive,” but found: “These attacks align with state-encouraged attacks. Recruiting hackers through this model allows Iran to influence their activities, and provides the Iranian Government plausible deniability. But a lack of direct control also means that the groups may be unpredictable and engage in unsanctioned attacks.”
Security expert Sarb Sembhi, chair of ISACA's international GRA sub-committee for Europe and Africa and director of consulting at research firm Incoming Thought, told SC: “ “The interesting thing about this activity in Iran is that in most other countries they would be called hacktivists and the Government would be clamping down on them. But here it seems like they are being supported or at the very least overlooked by the Iranian Government.
“They are likely state supported and that means they are likely to get away with activities at a much higher level. They are hacktivists of a completely different kind.”
Asked how UK organisations should respond to the growing threat, Sembhi advised: “It comes down to whether your organisation is likely to be a direct target – those at risk could be anyone from a five-person charity that highlights something going on in Iran that the Iranian government doesn't agree with, or a five-person company in defence, or a large government department or defence supplier. What matters is the activity you're involved in and its effect on Iran.”
He added: “That means most organisations are less likely to be targets of this group than cyber criminals who would typically be running automated tools. The borderline is possibly where you are an organisation that is supplying third-party services to an organisation that is a direct target, and then you may also be at risk.”