Cybersecurity firm FireEye warned on Tuesday that Iranian hacking activity increased significantly after President Donald Trump withdrew the United States from the Iran nuclear deal. The firm tracked an especially vigorous “cyberespionage” effort against targets in the Middle East, U.S., and Japan through the month of July.
According to FireEye, the Iranian hackers belong to a discrete but still-anonymous group designated Advanced Persistent Threat 33. The group specializes in “phishing” emails designed to trick victims to reveal vital information or download viral code by responding to phony job openings.
APT33 has been on FireEye’s radar screen since 2013 when it emerged as a more subtle and pernicious threat than high-profile Iranian groups known for their attacks on other Persian Gulf states. In September 2017, FireEye said APT33 was especially interested in military and civilian aviation companies and the energy industry, including oil companies.
The 2017 threat report judged APT33 was interested in helping Iran maintain an edge against Saudi Arabia’s civilian and military aviation capabilities and weakening Saudi petrochemical companies to make Iran more competitive. Phishing attacks with phony job offerings have long been a favored technique of the group.
“Whenever we see Iranian threat groups active in this region, particularly in line with geopolitical events, we have to be concerned they might either be engaged in or pre-positioning for a disruptive attack,” FireEye’s Alister Shepherd told the Associated Press on Tuesday.
Iranian hackers have been known to use extremely destructive malware. A virus attack in 2012 blamed on Iran by U.S. intelligence was arguably the most destructive hack the world has seen to date, damaging or destroying 35,000 computers used by the Saudi national oil company and jeopardizing ten percent of the world’s oil supply. Computers the virus damaged were compelled to display an image of a burning American flag.
Analysts judged the financial damage from the attack would have bankrupted almost any company except the titanic Saudi Aramco, which got through the ordeal by banging out its business correspondence on typewriters and stuffing it into fax machines.
Another strain of the same brutally effective cyberweapon was deployed against Saudi corporations and government agencies in 2016, including the kingdom’s aviation authority.
The July cyberattack does not appear to have been destructive in nature, but according to FireEye it was a major escalation, representing a surge of over 1,000 percent in APT33’s hacking activity. Clues to the hackers’ identity included their penchant for using Farsi in their code, observing the Iranian workweek of Saturday through Wednesday, and corresponding with each other during what would be standard office hours in Iran.
Iran’s representatives at the United Nations, which is holding its General Assembly this week, denounced the FireEye report as “categorically false” and insisted the Islamic Republic’s cyberwarfare capabilities are “purely defensive.”
The Iranians suggested companies like FireEye are making false claims to gin up new business for their services.
“We are confident in the Iranian government link, this is based on four years of tracking activity,” Shepherd countered at a briefing in Dubai. He suggested the Iranian hackers are either trying to steal intellectual property or setting up retaliatory attacks for U.S. sanctions.
FireEye uncovered an Iranian network of “fake news websites and fraudulent social media personas spread across Facebook, Instagram, Twitter, Google Plus, and YouTube” in August. Facebook, Twitter, and other social media companies removed hundreds of accounts allegedly tied to the network in response.