There’s a new politically motivated hacker gang to keep track of, one that started out defacing websites but which has progressed more recently into conducting full-blown campaigns of cyber espionage abroad and political oppression at home. And it is based in Iran.
Security firm FireEye has dubbed the group the Ajax Security Team in a report it released this morning. It is the latest example of what FireEye likes to call an Advanced Persistent Threat, a phrase it first used last year when it ferreted out a unit of China’s People’s Liberation Army conducting information warfare and computer espionage against American, British and Canadian companies and government agencies.
So what does team Ajax do? First, it’s important to note that FireEye can’t say whether or not this is a group that is acting alone or under orders from the Iranian government. Often those lines are kind of blurry. Sometimes an attack is carried out by a couple people who think it’s their patriotic duty. Other times there are plausibly deniable links between these people and branches of government agencies.
Ajax’s typical modus operandi in these cases has been to find ways to install malware on the computers of their targets: Either people working in the defense industry, or potential political dissidents in Iran.
In one case, they set up a website meant to impersonate that of a high-profile aviation industry conference by creating a site that looked just like the legitimate one. They emailed people attending that conference, inviting them to sign in to the site; when those people visited, they were notified that they had to install “proxy” software in order to use the site. The proxy software turned out to be malware.
In another case, again with people in the defense industry in mind, they created fake sites that looked like sign-ins for Microsoft’s Outlook that were intended to trick the unwitting into giving up their user names and passwords.
But they also spied on people inside Iran. In that country, people who access the Internet are required to install filters that block access to sites the Islamic government considers unacceptable, prompting Reporters Without Borders to brand Iran an “Enemy of the Internet.” Local Iranians have naturally sought to get around the filters using tools like Proxifier, Psiphon and Ultrasurf.
Several distributions of those tools circulated in Iran and to Persian-speaking people were found to have been laced with malware. That malware was capable of a lot of nasty things: Logging the user’s keystrokes, harvesting the contents of their instant messages and stealing email account information. The apparent point of the campaign was to find and target people who were using tools to bypass the censorship filters.
The report also documents the command-and-control infrastructure that the group set up — essentially a series of servers that controlled the malware and collected the stolen data. After analyzing data gathered on about 77 individual victims of the two campaigns, FireEye determined that 44 had their computers’ time zones set to Iran Standard Time, and, of those, 37 were using machines with Persian as the default language. 12 had installed Proxifier or Psiphone. And most were located in Iran.
The report traces the group’s founding in 2010 to two people using the handles “HUrric4nE!” and “Cair3x.” They engaged in the usual activities of the hacker underground – defaced a few sites, published a few vulnerabilities — mostly to gain street cred among their peers.
In 2012, the group — with a few more members — took a political turn. It participated in OpIsrael and OpUSA, two largely failed attempts to execute a series of coordinated cyber attacks against Israel and the U.S.
As of this year, the group’s ranks had appeared to dwindle, but founding member HUrric4nE! appears to still be active, having been implicated in spear-phishing attacks against companies in the U.S. and directly tied to the political malware campaign in Iran, FireEye says.
It’s worth remembering here that Iran has been a fertile ground for cyberwar already. It was the target of some of the most advanced and consistent attacks ever carried out by the combined efforts of the U.S. and Israel. The Stuxnet worm targeted Iran’s nuclear research facilities, causing several centrifuges at Natanz to explode. Gauss sought to steal information and money from people involved in it.
The Stuxnet attacks in particular motivated Iran to boost its capabilities in the cyberwar game and, according to at least one academic, may have helped it improve its nuclear capabilities in the long run. Iran was said to have participated in a series of attacks against U.S.-based banks in 2011 and 2012 in retaliation.