Despite many disputing Iran’s initiatives on cybersecurity, the Iranian regime has been flexing cyber-muscles. Iran has been taking cybersecurity seriously ever since the attack on Natanz nuclear plant, which was in latter days credited to the Israeli and United States governments. Additionally, the February 8 attacks on the Iranian internet, which endured up crippling about 25% of their internet has ended, stirring the fire even more. With now most of the activities and terror threats aimed at the Israeli and United States governments, recent research has proved that it is far more likely to find ATP (Advanced Persistent Threat) groups working together due to the level of threat from Iranian offensive camping. Also, to be noted, these threats are not to be taken lightly because these offensive campaigns have been active for the last three years.
Due to the advancement of technology and the many years of spying and finessing the art of building back doors to their encryption equipment, the United States government is almost ready for any kind of cyber-attacks from Iran. Additionally, there has also helped the US government to gather Intel on hundreds of nations through surveillance programs, which can be attributed to these high tech advancements. However, although Iranian hackers are nowhere near these high tech gear, it does not necessarily mean that they are harmless. These Iranian state-hackers have infiltrated and carried some sophisticated and successful cyber-attacks.
Facts to know about Iranian state-hacking groups
According to research conducted by a team from ClearSky, it has come to the attention that there has been an ongoing espionage campaign sponsored by the state of Iran, which has been active for the last three years. The Iranian espionage campaign, which is referred to as the Fox Kitten espionage, is believed to be targeting various industrial sectors both in Israel and the United State. It is only fair to say that the espionage campaign is proving to be a success as the hackers have gained access and a foothold within different networks. The Iranian state-hackers have gained access to systems belonging to many establishments in the government, aviation, telecommunications, security, gas and oils, and IT sectors. The research also stated that this campaign is just one of Iran’s most widespread and continuous attacks.
The question on many people’s minds of which has arguably risen to be a concern to many is whether or not these hacking groups are merging. Well, it should not be taken lightly, particularly by the Israeli and United States government, for links have been found. According to the research conducted by the ClearSky team, they have found a connection between ATP39-Chafer, ATP-34OilRig, and ATP33-Elfin groups. The investigators have further sited that the relationship between ATP34 and ATP33 and evidence of the two groups working together can be dated back to 2017. The two groups have previously worked together to maintaining a foothold and accessing other networks, stealing information and breaching other companies.
Military take on Iranian campaigns
However, some military experts from the United States are not particularly concerned with the threat that these groups pause. They, however, view the research conducted by ClearSky as an equivalent of spoiling an attack. They argue that, as a result of these revelations, more organizations can now join forces to the cub and minimize if not suppress the threat from these campaigns.
These security experts advocated for awareness to companies and organizations. Additionally, on this note, organizations and companies need to see this revelation by ClearSky as a wakeup call. The fox kitten campaign news should raise awareness of potential attacks.
Common avenues for attacks
The study conducted by ClearSky sited some avenues and vectors that are commonly used by Iranian hackers to wage attacks. The most vulnerable vectors that were identified for exploitation are RDP and VPN. If they remain unpatched or are not updated, they remain an avenue for exploitation. These have to lead the government to issue alerts on VPN and RDP. Most recent was an alert issued on January warning establishments to update their VPN installations in order to avert cyberattacks. It was similar to a security alert issued a few months ago in November of 2019 on Blue Keep threat related to RDP installations for Windows users.
The Iranian hackers have been able to infiltrate and exploit both RDP and VPN previously; through these infiltrations, they were able to acquire and control crucial data. As we have seen exploitation on Citrix devices in recent days, the research conducted by ClearSky has indicated that exploitation is expected to be significant.