Industry News

FBI warns firms of sophisticated Iranian hacker threat

The FBI has reportedly privately warned US energy and defence firms to be on the lookout for a sophisticated attack against their computer systems by sophisticated Iranian hackers.

That’s the claim made by Reuters which says it has seen a confidential “Flash” report issued by the US authorities on Friday, detailing methods used by the attackers and methods to thwart being hit by the malware.

Although the finger is most definitely being pointed at Iran – with the FBI’s advisory document identifying two IP addresses based in Iran that are used to launch attacks – the report does not go as far as to apportion blame to the Iranian authorities.

And, of course, it should be remembered that attributing attacks to a particular country is notoriously difficult, as it is so easy for hackers to hide their tracks, or use compromised computers in another nation to act as a proxy when launching their attacks if they so choose.

But, if accurate, the threat would appear to tie in with research issued earlier this month by Cylance of “Operation Cleaver”, a hacking campaign orchestrated by an Iranian team that the firm dubbed “Tarh Andishan”.

Operation Cleaver is said to have targeted critical infrastructure organisations around the world, including defence contractors, oil and gas energy producers, telecom firms, chemical companies and governments.

cleaver-targets

Cylance reported that it knew of some 50 targets and compromised victims, but believed that the FBI warning showed that the scale of the operation may be larger than its own research had revealed.

For its part, the government in Tehran is said to have vehemently denied any connection with the attacks.

Of course, Iran is no stranger to attacks on critical infrastructure – albeit most notoriously it was Iran that was on the receiving end of such an attack when the Stuxnet malware (probably built by the Americans with assistance from Israel) managed to infect the uranium enrichment facility at the city of Natanz.

Would it really be any surprise to hear that that incident had spurred Iran to invest more deeply in its own hacking attempts against critical infrastructure in countries it perceived to be its enemies?

It was recently revealed that in 2012 Iranian hackers had managed to break into a US Navy network for four months, exploiting a vulnerability in a poorly-secured public-facing website.

Regardless of whoever might be behind the latest attack that the FBI is warning about, it would be sensible for organisations to take it seriously and continue to assess the security of their systems to reduce the chances of a breach.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “Although the finger is most definitely being pointed at Iran – with the FBI’s advisory document identifying two IP addresses based in Iran that are used to launch attacks – the report does not go as far as to apportion blame to the Iranian authorities.”

    I really, really, really (and did I forget that to say really ?) wish people would stop using IP address as if it is somehow an accurate indication of the true (yes it is intended) source. It is fine to say the IPs belong to an Iranian provider. It is not fine to say it is sponsored by Iran and neither is is fine to say it is an Iranian at all. Funny thing is, not too long ago, some Afican country raided some organised crime in their country (I want to say Kenya but I’m not positive here). The nationality of this gang? Chinese. But yet… in Kenya. That is only one example but it certainly is not the only (and in this case it is physical location instead of host location).

    I’m also reminded of how Robert Tappan Morris made his worm appear to come from a different university. He’d have gotten away with it, certainly would have had a higher chance, if his method of keeping the worm active, was not dropping the systems to their knees. It is absurd that any nation claims this type of thing, anyway, because they’re just as guilty as this too (it is a game, blame game and essentially slander/libel/etc. in many cases unless it is 100% factual (and it isn’t that simple, is it ?)).

    “And, of course, it should be remembered that attributing attacks to a particular country is notoriously difficult, as it is so easy for hackers to hide their tracks, or use compromised computers in another nation to act as a proxy when launching their attacks if they so choose.”

    More like obscure. But yes, same thing here. Of course, we must not forget chaining proxies, either.

    On Iran and the situation: it would be ironic indeed, wouldn’t it? Well, you reap what you sow.. whether the US was indeed responsible for Flame (or…) I don’t know, but still, it would be ironic for other reasons too (the west versus Iran and particularly the on-going negotiations, comes to mind).