A suspected Iranian cyber group has been running a campaign of espionage and attacks targeting the defense and aviation sectors in Israel, the United Arab Emirates, and likely also India, Turkey and Albania, the Google-owned cybersecurity firm Mandiant reported Wednesday.
Read more:
According to the report, the group is linked to another party with direct ties to Iran's powerful Islamic Revolutionary Guard Corps. The group has been active since at least June 2022, and the campaign remains ongoing as of February 2024.
The cyber attacks involve content directly linked to the war in Gaza, including impersonating the Bring Them Home Now forum calling for the return of Israeli hostages held by Hamas. The group also employed various means to try to breach the computers and phones of employees in those industries.
Among the group's tactics, researchers identified dozens of fake job advertisements and impostor job search websites used to obtain login credentials and personal details of employees. The aim is to impersonate these employees within the systems of the targeted companies and organizations. It's difficult to assess the success of these attacks or to determine the extent of the stolen information.
The group also used a website impersonating Boeing to distribute another malware called MINIBIKE, as well as to steal passwords through fake login pages.
The tactics employed by the Iranian hackers included: social engineering such as sending phishing messages and emails and distributing fake websites for malware downloads; using Microsoft Azure cloud infrastructure - where communication appears legitimate; and using infrastructure located in Israel and the United Arab Emirates (in those countries targeted by the group), which may make it difficult to identify the malicious activity against those entities.
The recent method is concerning because it indicates that the hackers are capable of operating as customers of cloud infrastructures in Israel without worry. Overall, the researchers' impression was that these hackers operate with unique methods not previously seen with Iranian hacker groups.
This suggests a more sophisticated group than those encountered in the past. The researchers also noted that the group's clever use of local infrastructures makes identifying its activity a challenging task. The sophistication displayed in the development of the malware suggests higher capabilities than average.
Iranian cyber activity has significantly ramped up in recent years, especially in the past year, partly due to the war in Gaza but also due to Iran's attempt to block Israel and the U.S. from curbing its influence across the Middle East, in cooperation with Russia and China.
On the other hand, Iran has also faced many cyber attacks attributed to Israel, and sometimes to other foreign actors acting on its behalf. Among other things, there have been disruptions in ports, and gas stations, and recently, a mysterious explosion damaged a vital gas pipeline in the country. However, it's very difficult to attribute such actions to one side or another, and mostly it's a matter of circumstantial evidence.