The Latest FireEye News
Product and Solution Information, Press Releases, Announcements
|FireEye Reveals Rise in Advanced Threat Activities by Iranian-Linked Ajax Security Team In Post Stuxnet Era|
|Posted: Tue May 13, 2014 04:01:14 PM|
Evidence Linking Hacker Group to Iran Shows Increasing Sophistication in Attacks Targeting U.S. Defense Organizations and Iranian Dissidents
Milpitas, CA -- May 13, 2014 -- FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today released “Operation Saffron Rose,” a research report detailing the activities of a cyber-espionage group likely based in Iran. The group, which FireEye researchers are dubbing the Ajax Security Team, has progressed from mostly defacing websites in 2009 to full-blown espionage against Iranian dissidents and U.S. defense firms today. Evidence in the report suggests that Ajax’s methodologies have grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber attacks against Iran in the late 2000s.
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”
The targets of Operation Saffron Rose include Iranian dissidents and U.S. defense organizations. FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
Whether the Ajax Security Team operates in isolation or as part of a larger government-coordinated effort is unclear. The team uses malware tools that do not appear to be publicly available or used by any other threat groups. This group uses varied social engineering tactics to lure targets into infecting their systems with malware. Although FireEye Labs has not observed the Ajax Security Team using zero-day attacks to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.
FireEye uncovered information on 77 victims from one command-and-control (CnC) server found while analyzing malware samples disguised as Proxifier or Psiphon. Analyzing data on the victims, FireEye found that a large concentration had their time zones set to “Iran Standard Time” or language set to Persian.
Below is a detailed breakdown of victim data:
Iran has been publicly identified in advanced cyber attacks since 2009, when the plans for a new U.S. presidential Marine Corps One helicopter were found on a file-sharing network in Iran. In 2010, the “Iranian Cyber Army” disrupted Twitter and the Chinese search engine Baidu, redirecting users to Iranian political messages. In 2013 the Wall Street Journal reported that Iranian actors had increased their efforts to compromise U.S. critical infrastructure. Finally, over the past year, another group called Izz ad-Din al-Qassam launched “Operation Ababil,” a series of DDoS attacks against many U.S. financial institutions including the New York Stock Exchange.