Newly uncovered Iranian cyber espionage could pose a ‘real threat’ to Israel



Iranian threat actors carry out highly targeted cyber espionage operation against global aerospace and telecommunications companies, stealing sensitive information from targets around Israel and the Middle East, as well as the United States , in Russia and Europe, according to a report released Wednesday by Israeli cybersecurity firm Cybereason.
Cybereason identified the previously unknown state actor, dubbed MalKamak, running a sophisticated new form of malware, during an incident response call for one of its clients, Assaf Dahan said, Head of Cyber ​​Threat Research Group at Cybereason.

The campaign has been running for at least 2018 and has likely managed to collect large amounts of data from carefully chosen targets, Dahan said.

“The investigation began after Cybereason’s incident response research team was called in to assist one of the attacked companies,” Dahan said. “During the incident and after installing our technology on the organization’s computers, we identified sophisticated and new damage that has not yet been observed or documented. Extensive investigative work revealed that this was only part of an entire Iranian intelligence campaign conducted in secret and under the radar over the past three years.

“From the few traces left by the attackers, it is clear that they acted with caution and carefully selected their victims. He is a sophisticated Iranian striker who acted professionally with a thoughtful and calculated strategy. The potential risk inherent in such a campaign of assault is great and significant for the State of Israel and may pose a real threat.

The Cybereason team in its Tel Aviv office. (credit: CHEN GALILI)

“It was a very sophisticated operation that has all the hallmarks of a state sponsored attack,” Dahan said. “While other Iranian groups are involved in more destructive acts, this one focuses on information gathering. The fact that they were able to stay under the radar for three years shows their level of sophistication. We estimate that they have been able to exfiltrate large amounts of data over the years – gigabytes or even terabytes. We don’t know how many victims there were before 2018. ”

Affected organizations and relevant security officials have been notified of the attack, but the extent of the actual damage has not yet been clarified, Cybereason said.

The campaign relies on a highly sophisticated and as yet unknown Remote Access Trojan (RAT) nicknamed ShellClient, which evades antivirus tools and other security devices and abuses the Dropbox public cloud service for command and control. control (C2), according to the report. The authors of ShellClient have put a lot of effort into making it stealthy to escape detection by antivirus and other security tools by taking advantage of several obfuscation techniques and recently implementing a Dropbox client for command and control, which makes it very difficult to detect.

“The malware has evolved a lot over the years,” noted Dahan. “In 2018 the code was very simple, but it has become very sophisticated. Earlier this year, the group ditched their old server infrastructure and replaced it with Dropbox file hosting, a simple way to hide it in plain sight. In recent years, we see more and more cyber threat actors abusing different cloud services like Google Drive, Dropbox and Github because they provide the perfect camouflage. Although once we know what we’re looking for, it’s easier to find other things.

Using ShellClient RAT, the threat actor also deployed additional attack tools to perform various espionage activities on targeted networks, including additional reconnaissance, lateral movement in the environment, and collection. and the exfiltration of sensitive data.

The threat, which is still active, has been observed primarily in the Middle East region, but has also been observed targeting organizations in the United States, Russia and Europe, with a focus on industries of the aerospace and telecommunications.

The investigation reveals possible links with several threatening actors sponsored by the Iranian state, including Chafer APT (APT39) and Agrius APT, according to the report. This follows the August publication of the DeadRinger report by Cybereason which also uncovered several Chinese APT campaigns targeting telecom providers.


Leave A Reply

Your email address will not be published.