2010 Stuxnet worm attack on the Natanz nuclear plant that was eventually attributed to the U.S. and Israeli governments, Iran has been taking “cyber” seriously. The cyber-attack that took down 25% of the Iranian internet on February 8 has not been attributed to U.S. threat actors, let alone state-sponsored ones.
The cyber-espionage campaigns originating out of Tehran. Much of this activity is aimed at the U.S. and Israel, and much of it has been attributed to state-sponsored hacking groups.Research has now revealed that an ongoing Iranian offensive campaign, active for the last three years, is likely the result of some of these so-called Advanced Persistent Threat (APT) groups working together.
Report(Clearsky research) that reveals how an Iranian espionage campaign, targeting various industry sectors in both the U.S. and Israel, has been ongoing for the last three years. The “Fox Kitten” campaign, as the researchers have tagged it, enabled the Iranian offensive hackers to succeed in gaining both access to, and a persistent foothold within, numerous networks belonging to organizations in the aviation, government, IT, oil and gas, security and telecommunications sectors.
The researchers estimate that Fox Kitten is “among Iran’s most continuous and comprehensive campaigns revealed until now.” While it has, so far, been used as an espionage and reconnaissance infrastructure, the report warns that it also can deliver destructive malware such as Dustman and ZeroCleare, both associated with the APT34 state-sponsored hacking group.
Iranian state-sponsored hacking groups joining forces?
ClearSky researchers say, with a “medium probability” rating, that there’s a connection between the APT33-Elfin, APT34-OilRig and APT39-Chafer groups as far as this campaign is concerned. A campaign targeting the U.S. energy infrastructure sector first revealed by security researchers at Dragosin January. The ClearSky investigation has now identified a more comprehensive campaign structure hence the new Fox Kitten naming.
The attack vector that ClearSky has identified as the most significant has been the exploitation of known VPN and RDP vulnerabilities in systems that have remained unpatched. The U.S. government even issued a powerful security alert in January that warned organizations to update their VPN installations or face cyberattacks, and in November 2019 a similar warning related to the RDP-related BlueKeep threat to Windows users.
ClearSky has also warned that the exploitation of vulnerabilities such as seen recently in certain Citrix devices, is expected to be significant in 2020.
No doubt that the Fox Kitten campaign news should be a wake-up call to every business, every organization, and not only those in the crosshairs of Iranian state-sponsored attack groups.