MILPITAS, CA--(Marketwired - May 13, 2014) - FireEye, Inc. (
"There is an evolution underway within Iranian-based hacker groups that coincides with Iran's efforts at controlling political dissent and expanding its offensive cyber capabilities," said Nart Villeneuve, senior threat intelligence researcher at FireEye. "We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets' machines for longer-term initiatives."
The targets of Operation Saffron Rose include Iranian dissidents and U.S. defense organizations. FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran's Internet filtering system.
Whether the Ajax Security Team operates in isolation or as part of a larger government-coordinated effort is unclear. The team uses malware tools that do not appear to be publicly available or used by any other threat groups. This group uses varied social engineering tactics to lure targets into infecting their systems with malware. Although FireEye Labs has not observed the Ajax Security Team using zero-day attacks to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.
FireEye uncovered information on 77 victims from one command-and-control (CnC) server found while analyzing malware samples disguised as Proxifier or Psiphon. Analyzing data on the victims, FireEye found that a large concentration had their time zones set to "Iran Standard Time" or language set to Persian.
Below is a detailed breakdown of victim data:
- 44 had their time zone set to "Iran Standard Time," and 37 of those also had their language set to Persian.
- Of the 33 victims that did not have an Iranian time zone setting, 10 had Persian language settings
- 12 of the victims had either Proxifier or Psiphon installed or running (all 12 had a Persian language setting, and all but one had their time zone set to "Iran Standard Time")
Iran has been publicly identified in advanced cyber attacks since 2009, when the plans for a new U.S. presidential Marine Corps One helicopter were found on a file-sharing network in Iran.1 In 2010, the "Iranian Cyber Army" disrupted Twitter and the Chinese search engine Baidu, redirecting users to Iranian political messages.2 In 2013 the Wall Street Journal reported that Iranian actors had increased their efforts to compromise U.S. critical infrastructure.3 Finally, over the past year, another group called Izz ad-Din al-Qassam launched "Operation Ababil," a series of DDoS attacks against many U.S. financial institutions including the New York Stock Exchange.4
About FireEye, Inc.
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,200 customers across more than 60 countries, including over 130 of the Fortune 500.
© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.
1 Borak, D. (3 Mar 2009) "Source in Iran views Marine One blueprints," Marine Corps Times.
2 Wai-yin Kwok, V. (13 Jan 2010) "Baidu Hijacked By Cyber Army," Forbes.
3 Gorman, S. & Yadron, D. (23 May 2013) "Iran Hacks Energy Firms, U.S. Says," Wall Street Journal.
4 Walker, D. (8 Mar 2013) "Hacktivists plan to resume DDoS campaign against U.S. banks," SC Magazine.