Iran’s state-sponsored hacker groups up the ante

In recent months we have seen an increase in the number of damaging cyber attacks carried out by hacker groups believed to be affiliated with the Iranian state.

For example, APT33, a group of hackers linked to the Iranian government, launched a large-scale spear-phishing campaign in July this year, targeting firms in the USA and Japan in what was probably a response to upcoming sanctions on Iranian oil companies. The energy sector appeared to have been particularly badly hit. APT33 has been in operation since 2013. It is thought to be state-sponsored, and targets organisations in the aviation (military and civil) and energy sectors, particularly those with ties to the petrochemical industry located in the USA, Saudi Arabia and South Korea.

Meanwhile, nine employees (believed to be part of the CobaltDickens hacker group) based at Iran’s Mabna Institute were indicted by the US department of Justice earlier this year, amid allegations that they had carried out attacks against universities in a range of countries, including the UK, US and Singapore. The indictment appears to have had little impact, as the group has reportedly continued to register domains and to carry out further attacks.

OilRig is another prominent Iran-sponsored group. It is thought to have been active since at least 2015 and has focused on targeting financial and government sectors across the US and Middle East. Most recently, it was reported that it had been distributing the OopsIE malware and SpyNote mobile remote access Trojan for Android.

Other groups include LeafMiner (which has recently targeted petrochemical, financial, government, telecom, shipping and transportation verticals in Saudi Arabia, Israel, Kuwait and Lebanon); Greenbug (which attacked Dubai media and government organisations in June this year); Chrysene (seen targeting industrial networks of companies in both the Middle East and the UK in May); and APT34 (focusing on organisations in the financial, government, energy, chemical, and telecommunications sectors, primarily in the Middle East).

Hacktivists associated with FlyingKitten (aka CharmingKitten) and RocketKitten appear to concentrate more on individuals of interest to Iran, such as academics, dissidents, journalists or human rights activists based abroad.

While various other groups have also been identified, it is worth noting that there may be many more that we do not yet know about: it is certainly possible that much of the work involved in such hacking campaigns may have been sub-contracted out to smaller groups via Darknet marketplaces and forums.

Whatever the names given to them, or the links that can be demonstrated between these groups, it would appear that they are becoming more active and are targeting a range of industrial or state-owned sectors with a broad array of highly damaging malware, despite denials of such actions by both the Iranian government and media or academic commentators. Indeed, while much research in the West has centred on the activities of these state-sponsored groups, criticisms have also been voiced that the studies are biased and actually aim to promote fear as a business strategy; in other words, they could be construed as a PR exercise designed by cyber security companies to attract more clients. This type of ‘false-flag’ critique is actually nothing new. Both government representatives and citizens of so-called ‘enemy’ states such as Russian, Iran or North Korea have all routinely denied responsibility for cyber attacks – and of course for events taking place in the ‘real’ world too: the Skripal poisonings and the assassination of Kim Jong-un’s half-brother spring to mind.

There is little doubt, however, that state-sponsored hacker groups are highly active and pose a very serious threat. In the case of the Iranian groups, which have been the focus of this article, businesses operating in the energy sector seem to be at particular risk of attack: Iran’s economy is heavily based on oil and gas.

The country’s state-sponsored hacker groups will certainly be engaged in cyber espionage activities against rival organisations in efforts to glean information about a variety of issues, including technological developments, future exploration plans, contracts, business networks and financial matters. But the threat does not end there. Competitors in the energy sector could be targeted in attempts to damage operations, as happened back in 2012, when Iran was widely blamed for launching the Shamoon virus, which hit Saudi Arabia’s Aramco and led to the infection of 30,000 computers at the company. In 2017 Shamoon 2 was identified, with hackers accessing 15 Saudi Arabian organisations via spear-phishing emails, attacks again attributed to Iran, this time by the hacker group Timberworm.

What makes this issue particularly pertinent as we move towards the end of 2018 is President Donald Trump’s announcement in May of the withdrawal of the US from the Iran nuclear deal – the Joint Comprehensive Plan of Action (JCPOA). New economic sanctions are due to be levied, taking full effect in November. Iran’s port, shipping and shipbuilding industries will all be affected, along with the oil and petroleum market. There will also be an impact on the country’s financial sector, with severe consequences for the economy.

This is a very complicated issue, and involves not only the US, but also the UK, the EU, France, China, Russia and Germany, which are all resisting pressure from Trump to implement his sanctions. If they do acquiesce to his demands, organisations in those countries or regions – as well as in the Middle East – could all come under attack from Iranian state-sponsored groups. While companies involved in the oil and petrochemical sector and their third-party suppliers are most at risk, other critical infrastructure could also be targeted.

The impact of such attacks cannot be over-stated.

Scroll to Top