London, 21 Sep – One cyber security firm warned on Tuesday that further attacks on the US and its interests abroad by an Iranian -aligned hacking collective remain possible as America reimposes more sanctions in November, following the launch of a major campaign targeting energy firms and others in the Mideast.
The firm FireEye said that the spear-phishing” email campaign has so far only involved hackers stealing information from infected computers, but warned that this is hack is similar to a type of malware that was used in attacks on Saudi Arabia that destroyed tens of thousands of computer terminals.
Alister Shepherd, a director for a FireEye subsidiary, said: “Whenever we see Iranian threat groups active in this region, particularly in line with geopolitical events, we have to be concerned they might either be engaged in or pre-positioning for a disruptive attack.”
The Iranian mission to the United Nations called the report “categorically false” and insisted that the capabilities are “purely defensive”, but that is the sort of thing they have previously said about their nuclear and ballistic weapons programmes and it hasn’t stopped them threatening their enemies with them.
FireEye, which works mostly with governments and large corporations, has named the Iranian hacker group APT33, which stands for advanced persistent threat. They report that APT33 has used phishing emails with fake job opportunities, even faking domain names, to gain access to the companies affected.
They previously spoke about the group in 2017, warning of the clear danger posed by Iranian government-aligned hacking groups. In 2012, Iranian hackers are believed to have released the Shamoon virus onto the computers of Saudi Arabian Oil Co. and Qatari natural gas producer RasGas, which deleted hard drives and displayed on-screen a picture of a burning American flag. Saudi Aramco shut down its network and destroyed over 30,000 computers to stop the virus from spreading further.
Shepherd reported that during the month of July, FireEye saw a tenfold increase in the number of emails sent to their clients by APT33, but warned the number could be much higher. The emails purport to be from a Mideast oil and gas company interested in hiring workers from sectors as diverse as marketing and education based in the Mideast, North America and Japan.
FireEye reports that there are many clues that point to Iran backing APT33, from the use of the Farsi language to hacking taking place during the Iranian workweek.
Shepherd said: “Since we started tracking APT33 in 2013, their sophistication has definitely improved. We wouldn’t put them on the same level as some of the more-sophisticated Russian groups, for instance, in terms of capability. But they are a very capable group and they manage to meet their objectives, which is to compromise institutions in both the government and private sector and steal data.”