The Ajax Security Team is at issue here, a group that began life performing hacktivist-style website defacements before 2010. But as of 2014, it has transitioned to stealthy, malware-based espionage activity. Evidence in FireEye's report suggests that Ajax’s methodologies became more consistent with other APT actors in the Iranian region following cyber events against Iran in the late 2000s.
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye, in a statement. “We have witnessed not just growing activity on the part of Iranian-based threat actors but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”
The targets of Operation Saffron Rose include Iranian dissidents and US defense organizations. And, FireEye Research Labs said that it has recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base (DIB) within the US, as well as targeting local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system. The firm uncovered that Ajax has become the first Iranian hacking group known to use custom-built malicious software to launch espionage campaigns.
“It is unclear whether the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort on the part of the Iranian government,” FireEye said. “The team itself uses malware tools that, based on FireEye research, do not appear to be publicly available or in use by any other threat groups. Although we have not observed the Ajax Security Team using zero-day attacks as a means to infect victims, members of the Ajax Security Team have previously used publicly available exploit code in website defacement operations.”
This group also leverages varied social engineering tactics as a means to lure their targets into infecting themselves with malware.
It’s also clear that the group attacks within its own borders: FireEye uncovered information on 77 victims from one command-and-control server that was found while analyzing malware samples disguised as anti-censorship tools commonly used by Iranians. Analysis of data on the victims showed a large concentration had either their time zones set to “Iran Standard Time” or had their language settings set to Persian.
All of this is a massive evolution for Iranian hacking. “The capabilities of threat actors operating from Iran have traditionally been considered limited,” FireEye said in the report. “However, the Shamoon attacks, which wiped computers in Saudi Arabia and Qatar, indicate an improvement in capabilities. And unsurprisingly, Iran has reportedly increased its efforts to improve offensive capabilities after being targeted by Stuxnet and Flame.”
The Stuxnet malware used to disrupt Iran's nuclear program in 2009/2010 is believed to be state-sponsored, originating from Israel and the US. Discovered in July 2010, the virus targeted Siemens industrial software to throw various wrenches into the operations of the Natanz uranium enrichment facility in Iran, taking thousands of machines offline. On Christmas Day 2012, reports emerged that Iran had successfully repelled a new Stuxnet attack, this time primarily aimed at an electricity utility in the southern province of Hormozgan.
Since then the activity has ramped up: In August of 2012 Saudi Aramco, the national energy company of Saudi Arabia and one of the largest oil producers in the world, found itself with 30,000 workstations in need of repair after the Shamoon wiper malware compromised security for about 75% of its terminals. A hacktivist group going by the ominous name of “the Cutting Sword of Justice” claimed responsibility for the attacks, and it’s believed that the group originated in Iran. The group claimed to have “shut down the world’s largest oil company,” and with some glee accused the Saudi government of supporting "crimes and atrocities" in countries such as Syria and Egypt, and working against the Arab Spring movement while revolutions continued to spark on.
In 2013 the Wall Street Journal reported that Iranian actors had increased their efforts to compromise US critical infrastructure. And over the past year, another group called Izz ad-Din al-Qassam launched “Operation Ababil,” a series of DDoS attacks against many US financial institutions, including the New York Stock Exchange.
“The increased politicization of the Ajax Security Team, and the transition from nuisance defacements to operations against internal dissidents and foreign targets, coincides with moves by Iran aimed at increasing offensive cyber capabilities,” FireEye said. “While the relationship between actors such as the Ajax Security Team and the Iranian government is unknown, their activities appear to align with Iranian government political objectives.”
It added, “We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.”