An Iranian hacking group called Ajax Security Team is targeting U.S. defense companies in a cyber-espionage campaign that shows the increasing sophistication of hackers in the Persian Gulf nation, according to researchers at FireEye.
The researchers discovered the campaign—and 77 victims—in the course of analyzing malicious code disguised as anti-censorship tools, according to a report released on Tuesday. Dubbed Operation Saffron Rose (PDF) by FireEye, the attacks targeted Iranians who use software to evade the country’s Internet filtering technology, as well as defense contractors, the researchers found.
To get at defense contractors, Ajax Team set up a fake site, aeroconf2014.org, that looked almost identical to a legitimate site for the 2014 IEEE Aerospace conference, aeroconf.org. They then e-mailed employees with an invitation to register at the fake site. Once there, users were asked to install special software to log in—software that was, in fact, a malicious program to allow the hackers into their computers. The researchers linked the fake conference site to the campaign targeting users of anti-censorship tools through a shared Internet address.
Ajax Team dates back to 2009, when it first appeared on popular Iranian hacking forums. Its activities initially focused on website defacements and so-called “denial of service” attacks in which hackers flood a site with traffic to overload it and force it out of service for a period of time, according to FireEye.
The group’s latest campaign shows much greater sophistication than its previous work did, according to the researchers. There’s not enough evidence to say that Ajax Team is now working directly for the Iranian government or military; the FireEye report leaves it as probably “state encouraged.”
The group’s new focus suggests an evolution similar to that of China’s hacking community, from patriotic website defacements and the like into more skilled and targeted cyber-spying, with potentially greater consequences in terms of network damage and theft of sensitive information.
“We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term,” the report concludes.
Bottom line: Iranian hackers are becoming more of a threat.