The IAEA was established in 1957 as the world's 'Atoms for Peace' organization within the United Nations. It works with the member states to promote safe, secure and peaceful nuclear technologies – but is currently better known for its role in investigating Iran's disputed nuclear intentions.
At the end of last year the organization was breached by an anti-Israel hacking group calling itself Parastoo. 'Parastoo' is Farsi for 'swallow' and also an Iranian girl's name. The clear implication, then, is that Parastoo is an Iranian hacking group; and there seems a similar likelihood that it or another Iranian group is behind the latest hack against the IAEA.
But the organization is giving little away, other than insisting that no sensitive data has been compromised. Serge Gas, the agency's director of public information, told Reuters, "Data from a number of Vienna International Center visitors' USB drives [data memory sticks] is believed to have been compromised," but added, "The [IAEA] secretariat does not believe that the USB devices themselves were infected or that they could spread the malware further. No data from the IAEA network has been affected." The report gives no further information on any suspected adversaries, nor on the malware concerned.
It is common for USB sticks to either cause or spread an infection – but this does not seem to be happening here. Infosecurity asked independent researcher Graham Cluley if he could shed any light. While stressing that it is possible that Reuters lost some details in translation, Cluley notes that "the implication is that there was malware on the computer which scooped up the contents of USB sticks but didn't infect them."
This isn't usual. "Normally malware would attempt to use USB sticks as a distribution mechanism, and also attempt to steal information from the desktop computers as well," he added. One possibility, he continued, is that this reversal of normal process is actually a stealth device – having infected chosen computers, the malware attempted to remain beneath the radar by specifically not attempting further infections.
This could make sense, he postulated, if the infected computers were not 'personal' computers, but 'shared' computers; perhaps "computers attached to a particular device like a printer or scanner, which might be used by many people. Or maybe it was a 'sheepdip' computer that the IAEA insisted all incoming USB sticks were checked with, before being allowed on the main network."
Whatever the specific details, said Cluley, the implication is that "perhaps this was a targeted plot to harvest information from users' USB sticks, and not draw attention by spreading or infecting more widely."