SAN FRANCISCO — A suspected Iranian hacking group has been targeting aviation and energy companies in the United States, Saudi Arabia and South Korea since 2013, computer security company FireEye said in a report released Wednesday.
The group seems largely to have engaged in stealth spying to give Iranian military and corporate interests information about possible enemies and competition. However, the researchers also found signs of a data-destroying program capable of wiping disks, erasing volumes and deleting files deployed in affected companies located in the Middle East, said John Hultquist, director of intelligence analysis at FireEye.
During its investigation, FireEye found signs of links to malicious software called SHAPESHIFT capable of destroying data within a company’s network. FireEye said it had not directly observed the hackers carry out any destructive operations, but the capability appears to be present.
Hultquist said the fact that the destructive programs weren’t deployed in the United States and South Korean was due to the marching orders of the hackers, not their abilities.
“If they were missioned differently they could have dropped the destructive malware on any of the targets they’d hit. I think it was just a matter of the orders they’d been given,” he said.
It’s been done in the past. A hugely destructive cyber attack in 2012 against Saudi Aramco, one of the world’s largest oil companies, erased data on more than 75% of the company’s computers. U.S. officials later blamed Iranian hackers for the attack.
In 2014 an attack on the Sands Hotel and Casino wiped computer systems and caused millions of dollars of damage. The attack has been attributed by some to Iran.
“Nation states are increasingly laying the ground work for future disruptive and destructive attacks — planting the seeds they can harvest as needed in the future,” said Galina Antova, co-founder of Claroty, a New York-based company that secures industrial control systems.
“It is widely believed that those campaigns were laying the ground work for the possibility of future disruption should political winds lead to the need to do so,” she said.
The lack of actual attacks in the case APT33 isn’t a sign of safety, said Hultquist.
“Today it looks like they’re mostly carrying out espionage. Tomorrow they could shift to attacking. This is the early warning, our opportunity to recognize the danger and work out protections against them ahead of time,” he said.
The group, which FireEye researchers dubbed “APT33,” has shown particular interest in both commercial and military aviation companies as well as energy companies tied to petrochemical production. APT stands for Advanced Persistent Threat, in which attackers gain access to a network and covertly gather information, often rather than seeking to damage the network or the organization.
Between mid-2016 through early this year, APT33 used job recruitment phishing emails directed at higher-level employees to compromise an unnamed U.S. aerospace company and targeted a Saudi Arabian business conglomerate with aviation holdings, the report said.
The group registered multiple Internet addresses so that it could masquerade as legitimate companies to launch its attacks from, including Boeing, Northrop Grumman Aviation Arabia, Alsalam Aircraft Company and Vinnell Arabia.
The same group also targeted a South Korean company with interests in oil refining and petrochemicals, FireEye said. South Korean energy companies have business relationships with both Saudi Arabian and Iranian petrochemical companies.
FireEye researchers believe the Iranian group may be targeting the companies for several reasons:
– As industrial espionage to enhance Iran’s domestic aviation capabilities
– To support Iran’s military and strategic decision making in regards to Saudi Arabia
– To aid its petrochemical companies in competing against Saudi Arabian companies.
According to FireEye, “we assess APT33 works at the behest of the Iranian government” in part because the organizations targeted by the attack campaigns indicate a search for strategic intelligence that would benefit a government or military sponsor.
Such activities, especially in tightly controlled nations, are at least tacitly sponsored by the government in question, said Antova.
“These may not be actors working with or for the government — they may not sit in government buildings, etc. — but they are operating in the broader national interest,” she said.
FireEye is a high-profile computer security group based in Milpitas, Calif. with strong ties to U.S. military and intelligence agencies.
- Iranian Hackers Targeted Trump's Re-Election Campaign: Report
- Microsoft: Iranian Hackers Targeted US Presidential Campaign
- Porn Stars’ Instagram Accounts Targeted By Hackers: ‘I Was Locked Out’
- APT41 Is Not Your Usual Chinese Hacker Group
- 'Game of Thrones' Script Hacker May Face Criminal Charges
- Hackers Pose as Engineering Licensing Org to Phish US Utilities
- Russian Hackers Kept DNC Backdoor Longer Than Anyone Knew
- Russian Hackers Spy on Companies With Insecure Office Devices
- Creepy IBM warning: Hackers could put tiny spying tools in packages shipped to your house
- UPDATE 2-Saudi says Iranian sponsorship of attack undeniable, displays arms
- Facebook says 50 million user accounts affected by major security breach
- Facebook Takes Down Iranian Media Pages in Continued War on Alternative News
- Iranian state hackers reload their domains, release off-the-shelf RAT malware
- Hackers Target DNC Voter Database
- 2020 Lincoln Aviator Lands In LA With Potent Plug-In Power [UPDATE]
- Lincoln Aviator Flies Into New York As A Preview Of What's To Come
- Suspected North Korean Hackers Took Aim at Indian Space Agency – Report
- US DoJ Charges Iranian Citizen, Turkish Company of Plotting to Bypass Sanctions
- 'Ready For War': IRGC General Says Two US Bases, Warship Are Within Range of Iranian Missiles
- Cylance, fighting malicious hackers with AI, hits $1B valuation after raising $100M
U.S. aviation company targeted by Iranian hackers, FireEye says have 932 words, post on www.usatoday.com at September 20, 2017. This is cached page on Game Breaking News. If you want remove this page, please contact us.