London, 20 Sep – Hackers associated with Iran launched a major campaign that targets Middle East energy firms and others ahead of the initial US sanctions in August, according to American cyber security firm FireEye, warning that further attacks could be coming before the upcoming sanctions against Iran ’s oil industry come into effect in November.
FireEye said on Tuesday that the “spear-phishing” email campaign allows hackers to steal information from infected computers, but caution that the malware used in similar to one that destroyed tens of thousands of terminals in Saudi Arabian oil company Saudi Aramco, deleting the hard drives and displaying a picture of a burning American flag on the monitors.
Alister Shepherd, a director for a FireEye subsidiary, said: “Whenever we see Iranian threat groups active in this region, particularly in line with geopolitical events, we have to be concerned they might either be engaged in or pre-positioning for a disruptive attack.”
FireEye refers to the Iranian hackers as APT33, an acronym for “advanced persistent threat”, citing that the group would target its victims by using phishing emails with fake job opportunities, even faking domain names to make the messages look legitimate. Often the email appears to be from a Middle East oil and gas company and the targets are organizations, from utilities to education, in the Middle East, North America and Japan.
FireEye previously discussed the group last year, but was keen to outline the dangers of the Iranian hackers, citing a tenfold increase in the number of emails sent out by APT33 between July 2 and July 29. They also warn that the numbers may be much higher still as FireEye’s data only include their own clients. They said the attacks appear targeted in nature.
FireEye also revealed that they believe that APT33 is being led by Iran for several reasons:
1. Hackers communicate in Farsi
2. Hackers use Iranian workweek (Sat-Wed) and communicate during Iranian office hours
3. Hackers are targeting firms in the US and its allies, including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates
Shepherd said: “Since we started tracking APT33 in 2013, their sophistication has definitely improved… We wouldn’t put them on the same level as some of the more-sophisticated Russian groups, for instance, in terms of capability. But they are a very capable group and they manage to meet their objectives, which is to compromise institutions in both the government and private sector and steal data.”