Hackers with ties to Iran have conducted a long-term cyberespionage operation against government and industry in Israel, Kuwait, Lebanon, Qatar, Saudi Arabia, Turkey and the United Arab Emirates, according to FireEye, a cybersecurity firm.
In a new report, FireEye says the operation by the group it dubs APT34 is “largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014.”
The mostly Middle Eastern targets include government agencies and private industries, including financial, energy, chemical and telecommunications sectors, the company says.
FireEye bases its assessment that APT34 works on behalf of the Iranian government on clues that include references to Iran, the use of Iranian infrastructure and targeting that aligns with Iran’s interests.
The hackers sometimes breached networks through spearphishing, a technique designed to get users to open a file in email that secretly installs malware on their computer.
“APT34 is a proficient threat group that has proven particularly effective at leveraging spearphishing emails and social engineering to compromise target networks,” said Nicholas Richard, principal threat intelligence analyst at FireEye. “The group has continually refined and enhanced its tactics, techniques and procedures to successfully target victims and once in a victim’s environment moves rapidly to dump credentials, establish persistence and conduct extensive reconnaissance to facilitate successive operations.”
U.S. intelligence officials have long considered Iran to be a highly capable adversary in cyberspace. In 2013, hackers from Iran’s Islamic Revolutionary Guards Corps infiltrated the computer controls of a small dam 25 miles north of New York City, according to American officials.
Eyal Sela, head of Threat Intelligence at ClearSky, told Calcalist that the breadth of the attack indicated it was not a private operation but rather state-sponsored. That assessment was compounded by the fact that no financial use was made of the information the hackers gleaned.
“None of those hacked suffered financial damage,” Sela said. “The identity of the attacked — human rights activists and people with political ties — does not support the thesis that the campaign is connected to criminal groups.”
Targeted people received Twitter messages or emails from accounts registered with ostensibly Jewish-Israeli names. One claimed to be a journalist at KNBC, another an Israeli political researcher in California, and a third an Iranian Jewish girl seeking help to leave the country.
While ClearSky couldn’t say how many accounts were hacked, Dolev noted that such attacks usually have a 10 percent success rate.
ClearSky noted it had found connections between the Charming Kitten group and Behzad Mesri, an Iranian hacker indicted by the FBI for hacking HBO and then leaking episodes of the “Game of Thrones” series. The FBI claims Mesri is a member of another Iran-based hacking group sometimes known as Turk Black Hat, which has targeted hundreds of websites in the United States and around the world.