By Hank Thomas Co-Founder and COO at Strategic Cyber Ventures
There are indications the U.S. might pull out of the Iran nuclear deal. If this occurs, there is a high degree of probability that many of the same Iranian cyber elements, along with a host of new cyber capabilities they have created, will go back to work attacking iconic U.S. targets en masse via cyberspace. While some of these attacks might increase in sophistication, many will probably mirror the low cost but effective Iranian backed attacks from 2012. Let’s review how these events unfolded so we can understand what to expect in the coming weeks or months.
U.S. financial institutions suffered frequent distributed denial of service (DDoS) attacks as part of a campaign to disrupt the U.S. economy beginning in 2012. The attacks prevented millions of customers from accessing their accounts and cost the businesses affected millions of dollars as they worked feverishly to try and stop, divert, or contain the attacks. These attacks were eventually linked to other recent cyber reconnaissance efforts and coordinated attacks on major Middle East energy companies. A broader campaign to attack high value targets, from energy companies in the Middle East, to banking in the U.S., began to be suspected. There is also evidence that the DDoS attacks were used as a smokescreen to distract security teams while more significant cyber raids and covert actions were conducted by the Iranians. Components of these interconnected cyber events were referred to as Operation Ababil.
The campaign began in January 2012 against Bank of America (BAC). A hacking toolkit called the IOKNPB DDoS toolkit was used for this attack. A hacker that went by the moniker 0xOmar claimed DDoS infrastructure for attack was controlled by “Nightmare Group”, at the time thought likely to be a pop-up actor. Later, on 15 August of that year, Saudi Aramco, a Saudi Arabian oil company, was attacked using the Shamoon malware resulting in large-scale data destruction. A different pop-up group calling itself Cutting Sword claims credit for Shamoon. In August, RasGas, a major producer of liquid natural gas (LNG) in Qatar was attacked, components of malware used in the attack are confirmed to be similar to Shamoon. In September, another pop-up group called the Qassam Cyber Fighters (QCF) announces planned attacks on the U.S. financial infrastructure, posted messages by the group provide the first evidence of successful attacks. The remainder of September 2012 saw a massive onslaught of attacks on the U.S. financial services industry take place. An overview of the timeline of attacks is as follows.
18 September: BAC and the New York Stock Exchange (NYSE) attacked
19 September: JPMC attacked
25 September: Wells Fargo attacked
26 September: U.S. Bank attacked
27 September: PNC Bank attacked
Attacks didn’t slow down in October. QCF announces continued attacks against U.S financial infrastructure, by mid-October targets were no longer being announced in advance, but the attacks continued.
09 October: Capital One attacked
10 October: Sun Trust attacked
11 October: Regions Financial attacked
16 October: Capital One attacked
17 October: BB&T attacked
18 October: HSBC attacked
These previously unknown pop-up threat actors conducted successful, sustained, and coordinated DDoS attacks against major U.S. financial institutions. Institutions who thought they had prepared for something as basic as a DDoS attack. The threat actors obfuscated their true identity by employing tradecraft that added various layers of cover, concealment, and deception. For example, they appeared to be North African Arabs to many analysts at the time. Other groups appeared to be patriotic hackers for various Middle Eastern causes. The amount of noise they made before and after attacks was larger than average. There was a reason for this, they wanted western government and bank security teams to fall deeper into the fog of war. They wanted them to chase them down rabbit holes during the chaos and confusion of the attacks, hoping to prevent attribution.
It wasn’t until native speaking Farsi linguists, working the translation and analysis of the threat actor communications, began to identify anomalies in their word usage and sentence structure, that many of the dots of attribution began to connect. Combined with the more technical intelligence about the tactics, techniques, and tools used to conduct the DDoS attacks, penetrations, and destructive attacks and the motivations, capabilities and intent of the threat actors began to be revealed. Analysts began to norm around likely Persian Farsi speaking Iranian actor involvement. They were simply using Arabic to hide their true affiliation.
When assessing the motivations of the threat actors it was clear they weren’t in it for the money, because they had stolen none. They had also stolen nothing that could be monetized. They were only targeting symbolically important companies or critical infrastructure, and their efforts were wide-ranging and well-coordinated. All signs pointed towards a nation state behind the events.
Fast forward to 2016 and then Attorney General Loretta Lynch said the attacks cost victims “tens of millions of dollars” over 176 days. Hundreds of thousands of Americans could not get onto their online accounts. On the same day in 2016, the U.S. unsealed charges against seven Iranian hackers accused of attacks on a range of American banks and a dam just outside New York City. Attorney General Lynch and then FBI director James Comey announced the indictments, naming Iranian residents who worked for several computer security companies linked with the Iranian government. These companies included ITSecTeam (ITSEC) and Mersad Company (MERSAD).
Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Saedi were named as the primary suspects. The men, all Iranians, have been charged in the U.S. with distributed of service (DDoS) attacks on major U.S. banks, under Operation Ababil, perpetrated by the al-Qassam Cyber Fighters. The extensive, complex, investigation that led to these charges was the result of a joint public, private investigation led by the FBI between 2013 and the 2016. The ability to identify cyber actors operating in such a clandestine way proved the need for all sources of intelligence and investigative tools, not just technical ones, working together in the cyber domain. For the U.S. to have the confidence to attribute such a complex attack to specific individuals and organizations working on behalf of the Iranian government required significant evidence. Collectively this group of Iranian cyber operators is now known as APT 33 by most within the community.
While no one has been arrested yet, the FBI has made it clear that they wont forget. They intend to act on any opportunity to apprehend the suspects named in the indictments the moment they leave the secure sanctuary of Iranian protection. They just might not get the chance before a new wave of high volume Iranian attacks from APT 33 begin in earnest should the U.S. back out of the current Iranian nuclear deal. For more information on this topic check out this TrapX Security ‘Anatomy of an Attack Report’, and prepare yourself for a new wave of attacks.