A group of Iranian hackers have allegedly been targeting American defense contractors, and attempting to quell dissent in Iran itself, in an elaborate and technically advanced campaign that American security researchers call "Operation Saffron Rose." The attacks began in October 2013 and continued until at least April 8, according to Milpitas, California-based security company FireEye, which documented the operation in a report released yesterday (May 13).
FireEye suspects that the group behind Saffron Rose is Ajax Security Team, whose members are thought to have conducted politically-motivated website defacements for several years. The group's "graduation" from vandalism to espionage shows that Iranian actors in the cyber attack space are becoming more sophisticated, FireEye says.
In a report on Saffron Rose, FireEye researchers wrote that Ajax Security Team uses a combination of fake login pages, phishing emails and custom-built malware to steal login credentials and other data. In one attack, the group targeted U.S.-based aerospace companies by creating a fake registration page for the 2014 IEEE Aerospace conference.
Employees of the targeted company were sent email messages prompting them to register for the conference. If recipients followed the links in the messages to the fake page, they would be prompted to download software purporting to be a proxy needed to access the site.
The "proxy software" was, of course, malicious.
According to FireEye, Ajax Security Team often uses a type of spyware that FireEye calls "Stealer." Stealer often arrives as a Trojan horse, secretly bundled into other software such as proxies or VPN clients.
Once a target installs an infected program, Stealer runs a program called IntelRS.exe, which snoops on infected computers in a variety of ways. These methods include keylogging, taking screenshots, gathering system information (IP addresses, usernames, hostnames, open ports, installed applications), collecting email and instant messaging information, and collecting browser-based information such as login credentials, browsing history, cookies and bookmarks.
Stealer encrypts the data it gathers, then sends it to a command-and-control server. FireEye said one such server contained information on 77 individuals targeted in Operation Saffron Rose.
Many of the programs used to conceal Stealer are anti-censorship programs such as Psiphon, which don't seem to be targeted toward the American defense companies that have been Ajax Security Team's most recent targets. (One of Psiphon's lead developers at the University of Toronto was Nart Villeneuve, who went on to become a malware researcher and is lead author of FireEye's Saffron Rose report.)
The anti-censorship programs often appeared to be set to Iran Standard Time (which is uniquely three and a half hours ahead of Greenwich Mean Time) and had a Persian-language setting. FireEye believes that Ajax Security Team may also be targeting Iranians who use anti-censorship programs to dodge Iran's strict Internet regulations.
Interestingly, FireEye's report observed that Ajax Security Team has not been spotted using zero-day exploits, or secret vulnerabilities in program code, although the team has been seen using publicly known and unpatched exploits in its cybervandalism activities.
"It is unclear if they or other Iranian actors are capable of producing or acquiring exploit code," FireEye's researchers wrote.
FireEye's report compared Saffron Rose to Shamoon, a highly destructive espionage campaign that targeted the Saudi Arabian oil company Saudi Aramco in August 2012. The Shamoon spyware gathered company data from infected computers, then disabled them by overwriting their master boot records, which PCs need to start up. Some experts suspected Shamoon came from Iran, but nothing has been proven.
The relationship between Ajax Security Team and the Iranian government is unclear, but FireEye said that Saffron Rose is proof that Iran's online capabilities are becoming more sophisticated.
"There is increasing evidence to suggest that the hacker community in Iran is engaged in a transition from politically motivated defacements and denial-of-service attacks to cyberespionage activities," its report concluded.