Regarding the recent assassination of the Iranian general Soleimani, many security experts and users have turned their attention onto the prospective Iran or Iran-related hacking groups. The country is known to have a lot of experienced computer experts, including malicious hackers. This article gives an overview of the most widely used methods and what we may expect as consequences.
There are multiple hacking groups which are believed to originate from the country — some of them may be state-sponsored, others might be recruited by Iran and linked to agenda that may benefit Iran companies or individuals.
One of the most well-known examples is the hacking group known as OilRig which is famous for the developing the BondUpdater Trojan. The group is infamous for having multiple aliases and performing large-scale attacks against high-profile targets. This state-sponsored group is believed to be linked to the country’s intelligence agency. The observed attack was focused on a “high-ranking office” located in a Middle Eastern country. The main distribution tactic used by them was under the form of macro-infected documents.
The OilRig hacking group and another collective known as “Rana Institute” are known to have posted the leaked data online on hacker markets or special information repositories. The success of their campaigns rely mostly on the fact that they have attempted intrusion by two means — carrying out phishing campaigns and exploiting vulnerabilities in web servers operated by the victims.
What’s interesting about the Iranian hackers is that they use various techniques that are researched in order to provide as much high success ratio as possible. A good example is the OilRig group which crafted a specially designed hacker-controlled site that impersonates a professional network and associated files. Then they will use social engineering by impersonating a Cambridge University lecturer and inviting the target users into the hacker-controlled network. When they open the link and interact with the contents a script will activate the virus delivery.
Iranian Hacker Groups Use Elaborate Tactics
The Iranian hackers are known to produce many different types of malicious documents that can be of all popular Microsoft Office file formats. As soon as they are opened the users will be shown a notification prompt which will ask them to run the built-in macros. If this is done the associated Trojan code will be run. Typical behavior will be expected — setting up the server as a scheduled task, retrieving sensitive information and setting up a connection that enables hackers to take over control of the infected machines.
Victim-owned web servers are primarily targeted by exploits and brute forced with automated toolkits. The criminals may also buy whole “packs” of stolen account credentials from hacker underground markets. These credentials may also be loaded in the tools and login attempts can be made with them.
The hackers have also been found to target servers running Outlook and Exchange services. They are used for emails and groupware communications. This will be done by placing a backdoor that will place malware code in the browsers that open the pages. Running the associated malicious code will lead to common consequences:
- Data Theft — The Trojan and backdoor code is programmed to harvest information that may reveal account credentials or personal information about them. This can be used for further social engineering campaigns or for blackmail purposes.
- Windows Registry Modification — Some of the captured samples have been found to have the ability to edit out existing fields in the Windows Registry. This can cause system issues to the point of rendering the machines practically unusable. The users accessing them may also find unexpected errors and data loss.
- Data Transmission — All hijacked files will be automatically uploaded to the hackers via the established connection. This also allows the hackers to overtake control of the machines. They will be able to spy on the victims, manipulate fields and also install other threats.
Other Iranian attacks are expected to be forthcoming. Due to the fact that there are multiple highly-experienced groups that can plan out custom campaigns against high-profile targets. They can use different technologies and constantly improve on their strategies.