By Davey Winder
February 19, 2020
Ever since the 2010 Stuxnet worm attack on the Natanz nuclear plant that was eventually attributed to the U.S. and Israeli governments, Iran has been taking “cyber” seriously. Although the notion of Iran initiating a cyberwar scenario has been largely dismissed, there has been no shortage of cyber muscle-flexing from the Iranian regime. While the cyber-attack that took down 25% of the Iranian internet on February 8 has not been attributed to U.S. threat actors, let alone state-sponsored ones, it is unlikely to calm the anti-West cyber-rhetoric. Or, indeed, the cyber-espionage campaigns originating out of Tehran. Much of this activity is aimed at the U.S. and Israel, and much of it has been attributed to state-sponsored hacking groups. Newly published research has now revealed that an ongoing Iranian offensive campaign, active for the last three years, is likely the result of some of these so-called Advanced Persistent Threat (APT) groups working together.
The fictional James Bond character became famous for his range of, frankly, quite ridiculous technological aids from the cigarette gun in Casino Royale to the tracking nanoparticles injected into Bond’s bloodstream in Spectre. Back in the real-world and state-sponsored espionage has increasingly relied upon far-from fictional technologies. I recently reported how the CIA enabled the U.S. to spy upon more than 100 foreign governments across decades by secretly building backdoors into the encryption equipment they used. Iranian state-sponsored hackers have not had the luxury of such near-ubiquitous infiltration, nor are they traditionally thought to be that advanced when compared to their Chinese or Russian contemporaries. However that hasn’t prevented Iranian hacker groups from conducting highly successful cyber-espionage campaigns.
Fox Kitten espionage campaign has been active for three years
The ClearSky research team has published a report that reveals how an Iranian espionage campaign, targeting various industry sectors in both the U.S. and Israel, has been ongoing for the last three years. The “Fox Kitten” campaign, as the researchers have tagged it, enabled the Iranian offensive hackers to succeed in gaining both access to, and a persistent foothold within, numerous networks belonging to organizations in the aviation, government, IT, oil and gas, security and telecommunications sectors.
The researchers estimate that Fox Kitten is “among Iran’s most continuous and comprehensive campaigns revealed until now.” While it has, so far, been used as an espionage and reconnaissance infrastructure, the report warns that it also can deliver destructive malware such as Dustman and ZeroCleare, both associated with the APT34 state-sponsored hacking group.
Are Iranian state-sponsored hacking groups joining forces?
What’s interesting, and potentially concerning for the West, is that the ClearSky researchers say, with a “medium probability” rating, that there’s a connection between the APT33-Elfin, APT34-OilRig and APT39-Chafer groups as far as this campaign is concerned. A campaign targeting the U.S. energy infrastructure sector first revealed by security researchers at Dragos in January. The ClearSky investigation has now identified a more comprehensive campaign structure; hence the new Fox Kitten naming. The report goes on to assess that APT33 and APT34 have been working together since 2017, employing the attack infrastructure to steal information, breach other companies through supply-chain attacks, and maintain a persistent foothold on all those networks.
Update your VPN, Citrix and Windows installations now
Of these, the attack vector that ClearSky has identified as the most significant has been the exploitation of known VPN and RDP vulnerabilities in systems that have remained unpatched. The U.S. government even issued a powerful security alert in January that warned organizations to update their VPN installations or face cyberattacks, and in November 2019 a similar warning related to the RDP-related BlueKeep threat to Windows users. Both VPN and RDP exploits can be used to infiltrate and then gain control of critical data storage by the Iranian hacker groups. ClearSky has also warned that the exploitation of vulnerabilities such as seen recently in certain Citrix devices, is expected to be significant in 2020.
Iran attacks no surprise, infosecurity expert says
I spoke to Ian Thornton-Trump, CISO at Cyjax, who has served with the military intelligence branch of the Canadian Forces, and he sees this report as a huge victory for the forces of good. “Not only was an attack from Iran like this expected,” he says,” but this revelation by security researchers is the equivalent of a spoiling attack.” So, despite the size and scope of the Iranian campaign, the reported analysis means more organizations can now respond to mitigate successfully against the campaign. But it’s not all good news, according to Thornton-Trump, especially as RDP and VPN are cited as attack vectors.
“Seriously, are some organizations asleep or not paying attention?” he says, “We knew about these vectors, across November, December, and January, with very public announcements and some actual proof of concepts.” Which reveals a few telling things, according to Thornton-Trump. “Executive management at those companies did not move fast enough on vulnerability management of these dangerous vulnerabilities, asset management may be in a poor state, tools for automation, detection, and remediation of vulnerabilities are inadequate, and I suspect the last potential issue is there are maybe IT resource constraints.”
There is no doubt that the Fox Kitten campaign news should be a wake-up call to every business, every organization, and not only those in the crosshairs of Iranian state-sponsored attack groups. “This is yet another round in a classic APT boxing match,” Thornton-Trump concludes, “and when the bell rang this time, security researchers got a favorable decision. Back we go for the next round.”