Once ‘Kittens’ in the Cyber Spy World, Iran Gains Prowess: Security Experts – Reuters

By Eric Auchard

FRANKFURT – Hackers likely affiliated with the Iranian government have targeted aerospace and petrochemical firms in Saudi Arabia and the West, indicating a notable increase in Iran’s cyber-espionage capabilities, according to security firm FireEye and other U.S. experts.

In a report released on Wednesday, FireEye identified the hacker group APT33, providing evidence of its operations since 2013 aimed at stealing aviation and military secrets, while also preparing for attacks that could disrupt computer networks entirely.

In a related development, the U.S. Treasury Department last week added two hacking networks based in Iran and eight individuals to its sanctions list, accusing them of participating in cyber-enabled attacks against the U.S. financial system. Elements of Iran’s Islamic Revolutionary Guard Corps were also included in this sanctions list, although there was no immediate comment from them when contacted.

FireEye identified APT33 after investigating cyberattacks on a U.S. aviation organization, a Saudi business conglomerate with aviation interests, and a South Korean entity focused on oil refining and petrochemicals. Specific company names were not disclosed.

"Iranian fingerprints are all over this campaign, particularly those of government actors," stated John Hultquist, FireEye’s director of cyber espionage analysis. "Currently, we’re observing a lot of activity that appears to be classic cyber espionage."

APT33 is the first state-sponsored Iranian group to be recognized in FireEye’s extensive database of cyber espionage campaigns conducted by groups from China, Russia, and North Korea. APT stands for "Advanced Persistent Threat."

Hultquist noted that APT33 shares some tools with approximately 15 other Iranian-affiliated hacking groups but appears distinct from these organizations, which have names like "Shamoon," "RocketKitten," and "Charming Kitten." The use of the "Kitten" moniker previously reflected a low opinion of Iran’s hacking capabilities, according to experts.

Many cybersecurity analysts have commented on the increasing sophistication and professionalism in Iran’s cyber-espionage efforts. Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security, remarked, "In recent years, Iran has heavily invested in enhancing their computer network attack and exploit capabilities." Cilluffo, a former homeland security advisor to President George W. Bush, had estimated last year that Iran’s cyber budget increased significantly during President Rouhani’s term, positioning Iran as a "top five world cyber-power."

"They are integrating cyber operations into their military strategy and doctrine," he noted.

FireEye reported that the attacks against Saudi and South Korean targets occurred as recently as May, utilizing phishing tactics that included posting fake job openings in the Saudi oil sector to entice corporate victims.

In Singapore, FireEye Chief Executive Kevin Mandia stated that Iranian cyber espionage has become more sophisticated since he first observed basic attacks conducted by Iran against the U.S. State Department in 2008. "They’re capable. They have a real capacity there," Mandia said, indicating that Iran now ranks alongside China and Russia in terms of the frequency of cyber-attacks against Western companies and governments.

The expansion of Iran’s cyber capabilities has followed the 2010 U.S. and Israeli cyber attack on Iran, known as the "Stuxnet" worm, which targeted its nuclear program.

FireEye’s evidence linking Iran to the recent aviation attacks included the use of the Farsi language in the malware and indications that hackers adhered to Iran’s work week, with Thursdays off among other evidence.

Although FireEye found some connections between APT33 and the Nasr Institute—an entity associated with the Iranian Cyber Army, an offshoot of the Revolutionary Guards—it has yet to establish any ties to a specific government agency.

Hultquist indicated that APT33 has developed the capability for destructive attacks within the malware it employs, although there is currently no evidence that these capabilities have been activated. Nevertheless, FireEye anticipates that it is only a matter of time before the group transitions from intelligence gathering to inflicting significant damage.

Adam Meyer, vice president of another leading U.S. cybersecurity firm, noted a significant increase in Iranian attacks targeting Saudi Arabia since the previous year. He pointed to the "Shamoon" attack from five years ago, which affected the oil giant Saudi Aramco and Qatari RasGas, as a precursor to more sustained operations that have been executed against Saudi Arabia since 2016.

"This ongoing campaign has been conducted against the Saudi government, related entities, and the telecom sector in a manner that aims to destabilize the Saudi regime," Meyer concluded.