Cyberattackers in Iran could be behind a wave of hacks on government and communications infrastructure that will require a coordinated global response to repel, according to cybersecurity firm FireEye.
FireEye researchers have identified attacks on dozens of Internet sites belonging to entities across the Middle East, North Africa, Europe and North America, the firm said in a report published Thursday. The actor or actors have “a nexus to Iran”, it said.
By hijacking domain name servers — effectively the Web’s version of an address book — hackers compromise the underlying technology that governs how the Web functions to exploit weaknesses in site domain names.
In executing a DNS hijack, hackers are able to insert themselves between a victim’s Internet site and any user of that site — collecting all information the user had inputted into the site. The information would give the attacker access to the user’s e-mails — and a route into the user’s own network — Shepherd said.
“This gives attackers their initial foothold,” he said. “They are collecting information that provides both immediate espionage benefits and potentially, longer term, it gives a foothold that could be a precursor or pre-positioning for other types of attacks, be they disruptive or destructive.”
FireEye has “moderate” confidence that the attackers are from Iran, as its researchers see overlap with previous Iranian cyberattacks, said Alister Shepherd, the Dubai-based Middle East and Africa director for Mandiant, a unit of FireEye. “That overlap is not negligible,” he said. “We have seen attacker activity from this IP space over a period of time that would indicate that it is being used consistently by Iranian attack groups.”
Worldwide effort
Bloomberg News faxed requests for comment to Iran’s ministry of information, communications & technology and the ministry of foreign affairs on Thursday, which is a weekend day in Iran. Neither office responded immediately.
The scale and nature of the current wave of so-called DNS attacks will require a coordinated worldwide effort to address, Shepherd said. The Internet’s system of domain names is a core element in its functioning and security, he said.
Individual victims would also have to address the security breaches of their networks and related data, he said. He declined to identify any victims, citing his firm’s policy of shining light on attackers and not their targets.
Iran has been rapidly developing its cyber capabilities, according to a 2016 report by the World Economic Forum that alleged Iranian hackers were behind a prior attack on the national oil company of Saudi Arabia, Tehran’s chief regional rival for influence in the Middle East.
The 2012 incident nearly obliterated Saudi Aramco’s corporate IT infrastructure and brought it close to collapse. Saudi authorities blamed unidentified people based outside the kingdom for the attack.
Global action to confront Iran over evidence of hacking could further isolate a nation already weakened by the return of broad US economic sanctions under President Donald Trump. European powers have vowed to salvage the landmark 2015 nuclear deal that underpinned Iran’s hopes for an economic recovery, but recent allegations of Iranian attempts to target opposition groups based overseas have strained ties.
Mandiant alleged in 2013 that China’s military might have been behind a group that had hacked at least 141 companies worldwide since 2006. The US eventually issued indictments against five military officials who were purportedly members of that group. — Reported by David Tweed, with assistance from Golnar Motevalli, (c) 2019 Bloomberg LP
