A previously unknown hacking group believed to be based in Iran has started cyber attacks on targets inside the U.S., according to Mandiant Corp., a security company that has linked China’s army to similar activity.
The Iranian group emerged within the past six months and has infiltrated the networks of at least one U.S. corporation, Richard Bejtlich, Mandiant’s chief security officer, said yesterday in an interview in Washington.
“You’re starting to see the Iranians get more active,” Bejtlich said. “We’ve got at least one case where we think it’s Iran, and we think what they are doing is trying to gain some experience on a live network.”
Bejtlich’s observation backs assertions by politicians such as U.S. Representative Mike Rogers, a Michigan Republican who leads the House Intelligence Committee, that Iranian groups are behind recent attacks on American computer systems and networks.
“The level of sophistication and resources devoted to the recent cyber attacks coming out of the Middle East, including the recent attacks on American financial institutions, could only be coming from a nation-state entity,” Rogers said yesterday in a statement. He said he had “little doubt that the Iranian government is behind these attacks.”
Closely held Mandiant, based in Alexandria, Virginia, released a report in February concluding that the People’s Liberation Army in China may be behind the hacking of at least 141 companies worldwide since 2006.
Mandiant is investigating the new group’s tactics and hasn’t concluded that it’s backed by Iran’s government, Bejtlich said. “We don’t know if it’s the government,” he said. “We don’t know if they’re patriotic hackers.”
The group’s motivation isn’t clear, and Bejtlich wouldn’t name the U.S. company it struck or what industry is involved.
“We haven’t seen these guys before,” Bejtlich said. “They are working their way through a network, trying to figure out where can they go; who will find them; who will stop them.”
Cyber attacks from “state-backed actors are on the rise,” Senator Saxby Chambliss of Georgia, the top Republican on the Senate Intelligence Committee, said in a statement. “They are targeting the private sector and the U.S. government, and they constitute a growing threat to our national security.”
In a speech in Washington April 26, Chambliss cited the Chinese, Russian and Iranian governments as being behind attacks on U.S. computer networks. He said Iran backed an Aug. 15 attack on the state-owned Saudi Arabian Oil Co.
Network-security companies such as Radware Inc. have investigated whether denial-of-service attacks against U.S. banks originated in Iran. Such actions can overwhelm computer servers with queries or Internet traffic, forcing them offline. Pinpointing the origin of cyber intrusions -- a process known as attribution -- is difficult, said Carl Herberger, a vice president for the Tel Aviv-based company, which has offices in New Jersey.
“It’s similar to a sniper,” Herberger said by e-mail. “You know a target has been hit, but the exact location of where that bullet originated from is difficult to isolate.”
Claims that the Iranian government is behind cyber attacks are “baseless,” Alireza Miryusefi, a spokesman for the Iranian mission to the United Nations, said in a statement. Iran has been repeatedly targeted by hackers sponsored by other governments and wants an international legal framework to address issues surrounding cyber warfare, he said.
Mandiant tracks about two dozen groups considered to be the most aggressive, known as advanced persistent threats. The majority of the groups are based in China while others are in Russia or Eastern Europe, Bejtlich said.
Bejtlich said he is increasingly concerned that hacker intrusions are escalating from espionage to sabotage, or the destruction of computer systems.
“No one’s been talking about that previously,” he said. “What I worry about is that someone’s going to make a decision to do that and either not think through the consequences or understand the consequences, or even care about the consequences.”
The House has passed legislation, H.R. 624, that would encourage governments and businesses to share information about cyber threats.
Bejtlich said that alone won’t stop the attacks. The group in China identified in Mandiant’s February report continues its intrusions, he said.
“There are plenty of sites that are still being attacked by the same group using the same methods and the same infrastructure,” Bejtlich said. “It’s clear that even when you make information completely free and just available for download, it’s not going to solve the world’s problems.”
He said legislation is needed to clarify that companies can protect their computers and networks from attacks, and businesses need to remain vigilant.
“We respond to companies that are armed like Fort Knox and it didn’t make a difference,” he said of the services his firm provides. “If you’re a sufficiently juicy target, they will find their way in no matter what you have.”