ZDNet discusses how Iranian hackers are breaching Singapore universities to access research data:
At least 52 accounts were affected across the Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University, and Singapore University of Technology and Design, according to a joint statement Tuesday by Cyber Security Agency of Singapore (CSA) and Ministry of Education (MOE).
Hackers had used phishing attacks to harvest credentials from affected staff members and used these to gain access to the institutes’ online libraries and research articles published by the academic staff.
Based on their investigations, CSA and MOE said no sensitive data had been stolen and the attacks did not appear to be linked to the APT attacks against NUS and NTU last year.
They were, however, believed to be part of last month’s attacks against education institutions worldwide including 144 universities in the US, after which the US Deputy Attorney General unveiled a series of indictments and financial sanctions against Iranians. The US government had identified nine Iranians thought to be part of the cyberattacks.
Iran is stepping up their cyber attack profile, hitting more locations outside their immediate vicinity. It is interesting to witness Iran maturing from a strong localized actor to a more globalized one. Likely the success of Chinese, Russian, and North Korean nation state backed actors is likely motivation enough for Iran, who wants to be recognized as a world cyber power.
In addition, Iran is well behind the rest of the globe in research. Much like how China primarily leverages cyber attacks for economic gain, to forego the need to spend a lot of time and money on research and development, Iran possibly sees the benefit of such an approach. By stealing intellectual property from research institutions like major Universities, Iran could potentially gain an economic advantage, or even a military one, depending on the application of the data they are focusing on collecting.
Science is reporting on a major economic-focused cyber campaign alleging Iran breached 320 universities, government, and other companies for the purpose of stealing research:
Nine Iranians working on behalf of the Islamic Revolutionary Guard Corps hacked the computers of 7998 professors at 320 universities around the world over the past 5 years, an indictment filed by a federal grand jury alleges. The hackers stole 31.5 terabytes of documents and data, including scientific research, journals, and dissertations, the indictment alleges. Their targets also included the United Nations, 30 U.S. companies, and five U.S. government agencies.
The “massive and brazen cyber assault” is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” U.S. Attorney Geoffrey Berman of the Southern District of New York, where the indictment was filed, said at a press conference this morning. The hacks came to light through investigations by the Federal Bureau of Investigation and reports from victims. “The hackers targeted innovations and intellectual property from our country’s greatest minds,” Berman said, adding that they went after data and research from many fields.
According to the indictment, 3768 of the hacked professors were at 144 U.S. universities, and the attackers stole data that cost these institutions about $3.4 billion to “procure and access.” The accused allegedly set up an institute in Iran called Mabna that coordinated and paid for the hacks. The defendants then sold the stolen data through two websites, Gigapaper and Megapaper. The institute, the indictment says, aimed to “assist Iranian universities, as well as scientific and research organizations, to obtain access to non-Iranian scientific resources.”
The indicted Iranians are not in the United States, and therefore this legal maneuver likely means very little. Although the indictment carries weight in countries where the US has extradition treaties, these Iranians are probably not in any jeopardy of being caught or having their lives ruined. So the indictment was largely a political move more than anything.
Iran has been in the news a few times lately, and it appears they are attempting to up their cyber operations. This is the first time I have heard Iran hacking for economic reasons rather than political or military oriented attacks.
The Washington Post reports the Trump administration announced sanctions and criminal indictments against an Iranian hacker network allegedly involved in “one of the largest state-sponsored hacking campaigns”:
Nine of 10 named individuals were connected to the Mabna Institute, a Shiraz-based tech firm that the Justice Department alleged hacks on behalf of Iranian universities and the IRGC. The institute conducted “massive, coordinated intrusions” into the computer systems of at least 144 U.S. universities and 176 foreign universities in 21 countries, including Britain and Canada, officials said.
The hackers stole more than 31 terabytes of data and intellectual property — the rough equivalent of three Libraries of Congress — from their victims, prosecutors alleged. Much of it ended up in the hands of the IRGC, which has frequently been accused of stealing information to further its own research and development of weaponry. The Guard Corps is the division of Iran’s security forces charged with overseeing Iranian proxy forces abroad and is under the direct control of the country’s religious leaders.
“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said Geoffrey S. Berman, U.S. attorney for the Southern District of New York.
“Iran is engaged in an ongoing campaign of malicious cyberactivity against the United States and our allies,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence. “We will not tolerate the theft of U.S. intellectual property or intrusion into our research institutions and universities.”
Although lately there is a lot of news about Russian state sponsored cyber attacks, make no mistake, Russia is not the only country engaged in malicious cyberspace activity. Alongside Russia are China, North Korea, and Iran. These countries are responsible for the majority of the hacking activity around the globe. There are various reasons why these nations engage in cyber-based operations, not the least of which is surveillance against their enemies.
Here is an extremely simplified view of the landscape as it stands today.
China is primarily interested in stealing intellectual property. The Chinese would prefer to forego research and development costs, and would rather take the hard work already completed by others to use as the basis for their own technologies. China is mostly looking to increase their economic and military capabilities through these operations, with a strong emphasis on the former more than anything.
North Korea is completely cut off from the world banking system, so they have had to look to creative means of getting finances into the country. What North Korea has opted to do is conduct financially motived cyber attacks. They leverage ransomware to be paid in bitcoin by the victims, thus allowing the country to bypass global banking and siphon money back into Pyongyang.
So again, although Russia has been the primary culprit in the news these days, there are other sophisticated nation state actors engaging in cyber operations for various reasons. It should come as no surprise to see Iran accused of a vast global cyber conspiracy.
One thing to consider, especially in light of Bolton being named Trump’s new National Security Advisor, is the administrations desire for war. This announcement may very well be a precurser to additional comments about Iran from the Trump administration. While I do not claim to have any specific knowledge of what is to come, the timing seems all too convenient.
Wired reports on how state sponsored Iranian hackers are laser focused on attacking critical infrastructure companies:
In fact, a new network reconnaissance group, dubbed Advanced Persistent Threat 34, has spent the last few years burrowing deep into critical infrastructure companies.
Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.
FireEye researchers tracked 34 of the group’s attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. The group appears to target financial, energy, telecommunications, and chemical companies, and FireEye says it has moderate confidence that its hackers are Iranians. They log into VPNs from Iranian IP addresses, adhere to normal Iranian business hours, their work has occasionally leaked Iranian addresses and phone numbers, and their efforts align with Iranian interests. Namely, targeting the country’s adversaries.
There isn’t definitive evidence of a direct link between APT 34 and APT 33, an Iranian hacking group and malware distributor FireEye published findings on in September. But researchers have seen APT 34 operating concurrently inside many of the same target networks as other Iranian hackers.
The Middle East is seemingly always involved in one conflict or another. It should come as no surprise to see Iran leveraging cyber attacks to their benefit. Implementing strong defense should be a major priority for any business within the region, but especially more so for critical infrastructure companies. They have a lot to lose, and an attack could cause major devestation in the affected country.
The contract, one of the largest civilian cybersecurity orders in years, would help more than 100 federal civilian agencies protect their networks against malicious hackers, and it comes after the Office of Personnel Management suffered one of the most damaging breaches in history.
The OPM recently said that hackers stole the fingerprints of 5.6 million people, far more than previously thought. The attacks are believed to have affected more than 21 million former and current government employees, whose personal information, including Social Security numbers and information used in security clearances, may have been compromised.
The Obama administration has said it has made cybersecurity a top priority, and Congress has pushed to expand the nation’s defenses and make them more robust. The Pentagon is also taking steps to develop ways to fend off hackers, who often only have to find one crack in a network, while defenders have to guard the entire wall.
At a hearing on cybersecurity Tuesday, Sen. John McCain (R-Ariz.) said that in the past year, Iran, North Korea, China and Russia have all launched cyberattacks on the United States. And he said the rate of the attacks has increased, “crippling or severely disrupting networks across the government and private sector and compromising sensitive national security information.”
He added: “Far more needs to be done to develop the necessary capabilities to deter attacks, fight and win in cyberspace.”
Iran’s ability to infiltrate or even crash rival government systems, including alleged threats to the electrical grid, has “alarmed” U.S. officials over the past few years. But the most recent phishing attacks are a sign Iranian hackers using these much more targeted techniques, too—on everyone from secular voices in Iran to nonprofit workers in the U.S.
One tip-off you’re being targeted for an attack? If you receive a fake “unexpected sign-in attempt” notice that says an attempt was made to log in to your account from “The Iran.” The alert could come from a text or, in Hakakian’s case, an email.
This email is sent by the hacker, not Google. But Google will eventually send an authentic verification code to your phone—which is intercepted by hackers in the process, giving them access to your account.
“For this attack to work, the attackers must actively monitor the phishing page. Once the target enters their password into the phishing site the attackers likely use the credential to attempt to log in to GMail. The attacker’s login attempt then triggers the sending of a code from real Google to the target,” the report states. “They then wait for the target to enter the 2FA code from Google.”
Another version of the attack includes a phone call and an interview request from an English or Farsi-speaker who claims to be from the news agency Reuters. When hackers sent their phishing email to Electronic Frontier Foundation director Jillian York after their phone call—which included specific details about her previous work—the news agency was misspelled “Reuturers.”
Eventually, the email would coax victims into opening a document pertaining to the phone call from “Reuters Tech Dep.” Clicking the link would start the two-step verification hack.
“If Israel conducts a cyber attack against the Iranian nuclear program are we obligated to help them defend themselves against an Israel cyber attack?” Rubio asked Kerry.
Kerry didn’t exactly say no. He was, however, confident that Israel wouldn’t attempt a cyber attack on Iran without US help. By implication, relations between the US and Israel aren’t so damaged that Israel would launch such an attack without US help, meaning that if Israel did attempt to sabotage the Iranian nuclear program, it would be doing so in a world in which the nuclear agreement was no longer in effect.
“I don’t see any way possible that we would be in conflict with Israel with respect to what we might want to do there and we just have to wait until we get until that point,” Kerry said, cryptically — “that point” referring to a future time at which Israel believes it’s necessary to sabotage Iran’s nuclear program. It seems that at that juncture, the US would have to determine whose side to take.
In 2014, Iranian hackers launched Operation Cleaver, targeting 16 countries, including the U.S., according to U.S. cybersecurity firm Cylance. The hackers targeted several government organizations and private companies involved in the transportation, energy, and medical sectors.
“It’s been this low-key cyber volleying back and forth at each other – It looks like somebody got tired of this and said ‘look I’m going to yank up this game’ to a different level,” said Ahlberg. “When we look at this and take apart this Yemen Cyber Army and really try to understand who they are … they look a lot like other Iranian actors.”
He added, “what we have seen here is the cyber activity turn into an information operation … it’s well-orchestrated to a degree where you’re saying this is not [just] a guy in the basement – this is something more.”
As the U.S. and other world powers negotiate with Iran over its nuclear program, Griffin points out that any sanction relief could have an impact on their cyber activities. “If we are rewarding them not just for this bad behavior, but really the worse behavior, the green light to escalate that is something I would be very concerned by.”
The whole use of cyber war is getting out of hand. The term war has a very specific, destructive sounding definition. However, cyber war does not afford the attackers the same level of physical destruction capabilities as, say, a 20-ton bomb.
The term cyber operations makes more sense, but it is nowhere near as sensationalist as the media enjoys so I fear we are stuck with hyperbole.
A report on Iran’s possible plans to launch devastating cyber attacks in the United States raised eyebrows last month, both for its alarming claims and its unusual combination of authors: a Silicon Valley cybersecuirty company and a famously influential neoconservative Washington think tank that’s has been a prominent opponent to a nuclear deal with Iran. The report warned that if the U.S. lifted sanctions on Iran, the country would pour new money into its burgeoning cyber warfare program.
But before the report—co-authored with the American Enterprise Institute—was ever made public, the security company shared a set of preliminary findings on Iran’s cyber warfare operations with officials in the U.S. military and the intelligence community. There, according to current and former officials, the information was greeted by some with a mixture of puzzlement and outright hostility. Government and outside experts have wondered whether the preliminary findings, as well as the subsequent public report with AEI, was relying on dubious intelligence to stir up fears about pending Iranian cyber attacks, just as U.S. officials were trying to iron out the nuclear deal.
The Daily Beast reviewed a copy of the preliminary report, which was written by the cyber security company Norse in January of this year and shared with officials at the National Security Agency and in the military. Described as a “cyber intelligence bulletin” on “malicious cyber activity originating from the Islamic Republic of Iran,” it states that Norse has data on “more than 500,000 attacks on Industrial Control systems over the last 24 months,” referring to the computers that help to run power grids, hydroelectric facilities, and other so-called critical infrastructure in the U.S.
Norse’s claim of half a million “attacks” is an astonishingly large number. But nowhere in the document does Norse offer specific data to back up the claim, noting that more details are forthcoming in a report that the company will publish “later this year.” The bulletin also alleges that Iran is targeting computer systems and Web sites inside the United States, without offering many technical particulars.
Cyber attack attribution remains one of the most difficult aspects of cyber security. However, to make a claim like what Norse has made, it needs to backup its assertions with data; transparency is key to believability.