A hacking group believed to be operating from Iran has conducted multiple cyber espionage operations using tailored malware.
Named the Ajax Security Team, particulars of the group were laid out in research by FireEye, who detailed the activities in what it calls “Operation Saffron Rose”. It said that it has transitioned from performing website defacements, which it did before 2010, to malware-based espionage. Targets include companies in the defence industrial base (DIB) within the Unites States, as well as local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
Tactics used include spear phishing using a fake conference conference page as a lure that required the recipient to install “proxy” software in order to access it, which is actually malware. It has also phished for credentials via tailored login pages.
The most commonly-used malware is called “Stealer”, which is not publicly available. This drops a malicious executable and has various data collection modules to exfiltrate data over FTP. “There is code to exfiltrate data over HTTP POST as well, but it is unused. We also found incomplete code that would perform SFTP and SMTP exfiltration, which could be completed in a future version,” it said.
The Ajax Security Team website had a web forum with at least 236 members, but there has been no defacements since December 2013, and by early 2014 the operation appears to have ended.
Security researcher Lewis Henderson told IT Security Guru that a hacking group based in Iran is recruiting globally and this isn’t nation state, but they are just using it as a hideaway essentially. “They are recruiting people with SCADA and industrial control skills, so they can begin taking out western infrastructure,” he said.
A prominent member is named “HUrr!c4nE!”, who is engaged in operations that align with Iran’s
political objectives, according to FireEye. It said: “Recruiting hackers through this model allows Iran to influence their activities, and provides the Iranian Government plausible deniability, but a lack of direct control also means that the groups may be unpredictable and engage in unsanctioned attacks.”
Nart Villeneuve, senior threat intelligence researcher at FireEye, said: “There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities.
“We have witnessed not just growing activity on the part of Iranian-based threat actors but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”