US CISA and Iranian Hackers Exchange Cyber Attacks

US CISA Warns of Iranian Cyber Attack Threat

U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs posted a warning about an increase in Iranian cyber attacks against the United States. The CISA warns of a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.” The CISA Director’s warning was posted on his Twitter account.

Iranian hackers are using wiper tools rather than ransomware, spyware or other less harmful malware on targeted networks and computers. Wiper tools are destructive malware that completely delete computer files or damage a network with no way to recover data unless a backup exists. Cyber researchers at FireEye, CrowdStrike and Dragos Inc. have all reported an increase in phishing emails sent to US targets. The hackers are believed to be Advanced Persistent Threat 33 (APT33). Hacking group APT33 is also known as Magnallium or Refined Kitten.

CISA Director Chris Krebs post
CISA Director Chris Krebs post

The cyber and phishing attacks come amidst escalating tension between the United States and Iran.

US Cyber Attacks on Iran

The United States claimed responsibility for its own retaliatory cyber attack on Iran. The US cyber attacks were launched by US Cyber Command and were targeted at an intelligence group connected to the Iranian Revolutionary Guard with the intention to crippled Iran’s rocket launch systems involved with the bombing of two oil tankers last week.

WebRoot cyber sec

Iranian official Mohammad Javad Azari Jahromi, Iran’s minister for information and communications technology admitted to the cyber attacks and posted about it on Twitter, “They try hard, but have not carried out a successful attack.” He went on to say that, “Last year we neutralized 33 million attacks with the (national) firewall.”

MuddyWater Iranian Hacking Group

Iranian government-backed hacking group MuddyWater, also called SeedWorm, supplemented its techniques with two new tactics. MuddyWater is using Microsoft Word documents containing malicious macros that drop payloads on to victims via compromised servers. The hacking group is also using the CVE-2017-0199 exploit also known as Microsoft Office/WordPad Remote Code Execution Vulnerability with Windows API.

MuddyWater targets the telecommunication industry and government organizations. The group is known to actively impersonate government accounts.

CVE-2017-0199 is not a new security vulnerability. A hacker who exploits the CVE-2017-0199 vulnerability can take control of a computer system and install malware, view or delete data; or grant themselves admin access to the device. The cyber attack is initiated with a phishing email that tricks the recipient into opening a malicious email attachment. To guard against the cyber attack Microsoft Office and WordPad should be kept up-to-date with the latest security patches.

What are Advanced Persistent Threat Groups?

Advanced Persistent Threat Groups (APT) are organized hacking groups that are many times state-sponsored. These hacking groups are assigned numbers to keep track of their progress and hacking techniques. APT groups are responsible for some of the largest and most successful cyber attacks in the world. The hacking groups are also given names by private cyber security researchers to avoid offending governments by calling out the attacking agency. The US government backed APT group is called Equation Group. APT groups generally work with a “low and slow” strategy by not attacking a large volume quickly but rather working to remain undetected for long periods of time while gathering the data or money. Many APT groups have gone undetected for years before discovery.

What Is the Main Goal of An APT Attack?

Advanced Persistent Threat cyber attacks target corporations and government agencies usually to fund activities or gather sensitive data. APT groups conduct corporate and government espionage on behalf of their sponsoring government entity. They also fund other activities by siphoning money from large corporations. APT groups tend to specialize or focus on a few industries or governments. Most APT attacks begin with social engineering to obtain login credentials.

Are Advanced Persistent Threats Fully Automated?

Advanced Persistent Threats are not fully automated. They require a level of skill and IT network knowledge. Although part of the APT cyber attack may be automated so intelligence can be gathered over long periods of time., hackers must continually hone their skills to circumvent new cyber security protocols and defenses.

What is Malware?

Malware is any unwanted program or app on a computer, hardware, device, or IT system. Malware includes ransomware, adware, spyware, malicious macros and executable files. The goal may be to take over a device or system. Many times, identity theft or credential phishing are part of the strategy.