Iran, Syria Cyber Activity On Rise

Tuesday, April 15, 2014 @ 10:04 AM gHale


A hike in activity by attackers with suspected links to Iran and Syria continues to catch the eye of security researchers, a new report said.

The threat landscape continues to evolve where political conflicts spurred hackers into action in attacks against the private sector. But when most people talk cyberespionage and attacks on the U.S., China is usually the first country mentioned. But reality is showing some interesting twists as attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts, according to a new report from Mandiant.

RELATED STORIES
Firms Average 9 Targeted Attacks a Year
Tech. Industry Lags in Security Effectiveness
Attackers Dig in to Mining Companies
Management Seeing the Security Light

“Although Iran has long been considered a second-tier actor behind China and Russia, recent speculation has focused on Iran’s interest in perpetrating offensive network attacks against critical infrastructure targets,” according to the report. “Iran is widely suspected to have been behind the August 2012 malware infections that targeted the networks of two energy companies, Saudi Aramco and the Qatar-based RasGas. Industry observers suggested that the Iranian government sponsored the attack after an Iranian nuclear facility was infected with the Stuxnet virus.” ISSSource reported the attack was a joint effort between the U.S. and Israel to slow down or halt the nuclear build up in Iran.

The energy sector in fact was one of the principal targets of many of the attacks linked to Iranian-based hackers. Compared to hacking activities tied to China, the attacks seem less sophisticated. In the case of the Iranian-based attacks, the hackers tend to use publically-available tools rather than customized ones. They are only able to maintain a presence on compromised networks for an average of 28 days, compared with 243. In addition, 75 percent of the breaches tied to Iranian hackers ended up detected by the victims, as opposed to 33 percent of attacks linked to China.

“What we did observe was activity consistent with network reconnaissance,” said Laura Galante, manager of threat intelligence at Mandiant. “These suspected Iran-based actors are able to compromise a network — albeit relying on victim networks with outdated vulnerabilities — and have gained local administrator access.”

“If these activities were simply capability tests for these actors then we would expect further probes and network reconnaissance in 2014,” Galante said. “If the ability to compromise a network was the ultimate goal of the actors’ mission, then we believe the actors would be satisfied with their current level of success. The analytic problem is that we don’t know what the actors’ end goal was, so currently either scenario is equally plausible. As stated in the report, we don’t have indications that these actors are particularly adept at developing tools nor do they have a discernible focus after they have compromised a network.”

The Syrian Electronic Army (SEA), however, does appear to have a goal — gaining the public’s attention. The group has done this quite well. Since its inception in 2011, the SEA has successfully compromised more than 40 organizations, mainly websites and social media accounts belonging to major new agencies in the West, Mandiant said in the report.

“Mandiant’s observations of SEA activity over the course of 2013 revealed that the group used two tactics to gain access to victim organizations: Sending phishing emails from internal accounts and, starting in August 2013, compromising service providers as a way to target victim organizations,” according to the report. “Mandiant believes the SEA will continue to penetrate high-profile targets in an effort to increase publicity for the Syrian regime and demonstrate support for its embattled president, Bashar al-Assad. Although these SEA intrusions have resulted in little more than websites defaced with the SEA logo and images of Assad, they have nonetheless brought the group to the world’s attention. More significantly, they have increased fear of cyber compromise among governments and corporations alike.”

The political attacks on news sites are part of an overall trend of attacks the firm observed during the year. Attacks on media and entertainment companies rose to 13 percent from 7 percent during 2012, according to the report.

“This uptick reflects the newer actors who have expanded the playing field,” said Galante. “Groups like the SEA… hit media targets to further a political agenda and probably with the hopes of gaining news coverage.”

Click here to register for the free report.



Leave a Reply

You must be logged in to post a comment.