Former Mossad Chief explains, it is all about the Iran threat. Clearly, the Obama administration including is National Security Council and both Secretaries of State focused more on Israel and accusatory ‘occupier’ status than on Iran.
Behzad Mesri, the Iranian national the US has accused of hacking HBO this year, is part of an elite Iranian cyber-espionage unit known in infosec circles as Charming Kitten, according to a report released yesterday by Israeli firm ClearSky Cybersecurity.
Known as an APT (Advanced Persistent Threat), this group has been active since 2013 and is believed to be operating under the protection of the local Iranian government.
The group’s activities have been first exposed in March 2014, when US cyber-security firm FireEye published a report entitled “Operation Saffron Rose.”
Charming Kitten —also tracked under various codenames such as Newscaster, NewsBeef, Flying Kitten, and the Ajax Security Team— was one of the most active Iran-based cyber-espionage units at the time, but once the FireEye report went public, the group dismantled its infrastructure and went dormant.
Subsequent research published by Iran Threats and ClearSky show that parts of the old Charming Kitten infrastructure, such as malware and credential theft resources, have been reused by another Iranian cyber-espionage unit named Rocket Kittens, and possibly more.
Various experts have pointed out that most of these groups are most likely operating under the protection and guidance of Iranian military, hence the reason why some resources are used not by one or two, but multiple APTs.
According to the official indictment, US officials said Mesri worked for the Iranian military, but that he also lived a separate life as a hacker. Evidence shows that Mesri defaced hundreds of websites and most likely carried out the HBO hack outside of his role in the Charming Kittens operations, most of which have targeted Iranian dissidents.
Mesri had connections to other Charming Kitten members
The 59-page ClearSky report released yesterday shows a web of connections between Mesri and other members of the Charming Kitten espionage unit, including connections to a hacktivist group known as the Turk Black Hat Security hacking group, where Mesri operated under the pseudonym of “Skote Vahshat,” together with other persons linked to Iranian APTs.
Besides Charming Kitten and the subsequent Rocket Kitten incarnation, Iran is home to other APT groups such as OilRig [1, 2], CopyKittens, and Magic Hound (Cobalt Gypsy, Timberworm), all very active.
In fact, Iranian actors are some of the most active groups around, albeit far from the most sophisticated. Their usual targets are businesses, human rights groups, individuals, and nearby governments of interest or at odds with the Iranian government — such as Saudi Arabian companies and government agencies, or Israeli military and government targets.
According to multiple reports, the Charming Kittens group of which Mesri is suspected of being a member, operated using mundane spear-phishing and watering hole attacks, and targeted individuals using made-up organizations and people, fake news sites, or by impersonating real companies.
The group was not sophisticated like US, Chinese, or Russian counterparts, but persisted with attacks until they got access to their targets’ email inbox and social media accounts, most likely to gather information on a person’s past or upcoming plans. More details here.
Is Iran a cyber threat? Yes and gaining hacking abilities quickly.
Tehran poses an increasing cyber threat to the U.S., in light of the Trump administration’s allegations that Iran is violating United Nations Security Council resolutions tied to the nuclear agreement. Iran-sponsored hackers—dismissively referred to as “kittens” for their original lack of sophistication—are bolstering their cyber warfare capabilities as part of their rivalry with Saudi Arabia. But should President Donald Trump take further steps to scrap the nuclear deal, it could mean an uptick in Iranian state-sponsored cyber intrusions into American and allied systems, with the goals of espionage, subversion, sabotage and possibly coercion.
- Since 2011, Iran has worked to establish itself as a prominent aggressor in cyberspace, alongside China, Russia and North Korea. Evolving from mere website defacement and crude censorship domestically in the early 2000s, Iran has become a player in sustained cyber espionage campaigns, disruptive denial of service (DDoS) attacks and the probing of networks for critical infrastructure facilities.
- Iran wasn’t pursuing cyber capabilities with much urgency, experts say, until it was revealed in 2010 that a joint Israeli-U.S. Stuxnet worm sabotaged nuclear centrifuges at Iran’s facility in Natanz. As the first-known instance of virtual intrusions resulting in physical effects, the operation demonstrated the potential effectiveness of such an attack and has informed much of Iranian cyber operations since.
- Iran often has conducted disruptive cyber operations loosely in response to actions taken by others. It sees offensive cyber operations as an asymmetric but proportional tool for retaliation. For example, following the Stuxnet attack and the imposition of new sanctions on Iran’s oil and financial sectors in 2011, Tehran was suspected of retaliating in 2012 by releasing the Shamoon disk-wiping malware into the networks of Saudi oil giant Saudi Aramco and Qatar’s natural gas authority, RasGas. It also launched volleys of DDoS attacks against at least 46 major U.S. financial systems.
- Iran commonly conducts its state-sponsored cyber operations behind a thin veil of hacktivism. From 2011 to 2013, a group calling itself the Qassam Cyber Fighters launched DDoS attacks that flooded the servers of U.S. banks with artificial traffic until they became inaccessible. In March 2016, the Justice Department unsealed indictments of seven individuals—employees of the Iran-based computer companies ITSecTeam and Mersad Company—for conducting the DDoS attacks — and intrusions into a small dam in upstate New York—on behalf of the Islamic Revolutionary Guard Corps (IRGC), the arm of Iran’s military formed in the aftermath of the 1979 Iranian revolution.
While much of Iran’s cyber operations have been attempts at asymmetric disruption against its Gulf rivals, Israel and the United States, it has recalculated since the 2015 negotiation of the Joint Comprehensive Plan of Action (JCPOA), the Iran nuclear deal.
- Under scrutiny by the international community, Iran has largely reined in disruptive attacks against the U.S., with some operations still deployed against Saudi Arabia. In November 2016, a variant of the disk-wiping malware Shamoon was deployed against Saudi aviation and transportation authorities.
Rather than relying on disruptive attacks against the West, Iran has pursued cyber-enabled information warfare against its regional competitors, namely Saudi Arabia. By utilizing cyber proxies to access and weaponize privileged information, Iran has subtly sought to undermine Saudi Arabia’s political standing in the region and in the eyes of international allies. This kind of grey-zone offensive—an act short of war—is a page right out of the Russian intelligence playbook of active measures in Europe and the U.S.
- In April 2015, the pro-Saudi newspaper Al Hayat was hacked by a group calling itself the Yemen Cyber Army, which experts say has loose ties to Iran. The attack replaced the media outlet’s front page with threatening messages aimed at dissuading the Saudis from getting involved in the civil unrest bubbling across their southern border. The hack was followed quickly by stories on Iran’s state-run FARS news agency and Russia’s RT network, citing the Yemen Cyber Army for breaching the Saudi foreign ministry and its threats to release personal information on Saudi officials and expose diplomatic correspondence that allegedly suggested Saudi support of Islamist groups in the region. One month later, WikiLeaks published material likely taken from the trove of stolen correspondence.
- In another example, an Iran-linked Hezbollah hacktivist group known as the Islamic Cyber Resistance leaked sensitive material related to the Saudi army, the Saudi Binladin Group and the Israeli Defense Forces, following the December 2013 assassination of Hezbollah leader Hassan al-Laqis, according to Matthew McInniss, an AEI scholar now working on Iran in the Trump State Department. Ties also have been detected between Iran and the Syrian Electronic Army, the hacking wing of the regime of Bashar al-Assad, according to Cipher Brief expert and former CIA and NSA chief Michael Hayden.
- The link between Iranian government support and the cyber proxy actors is difficult to prove. But it would follow the pattern of Iranian military assistance given to other types of proxy forces in Lebanon, Syria and Yemen.
- The governmental structure in Iran that oversees cyber-related activities is the Supreme Council of Cyberspace, established by Ayatollah Ali Khamenei in March 2012. It consists of representatives from various Iranian intelligence and security services. However, the direct command-and-control structure for engaging in cyber operations remains a mystery, particularly when it comes to cyber proxies. While it could be the responsibility of Iran’s Quds Force, the external wing of the IRGC, the lack of a clear command-and-control system could be intentional. Similar to Iran’s “mosaic defense” military structure, cyber operations appear more decentralized and fluid than other countries with advanced cyber capabilities—Russia and China, for example—complicating the tracking and attribution of attacks.
The Iranian nuclear deal may have had some cyber-deterrent value, in that it reined in Iranian disruptive attacks against the West, but this could be short-lived. Rhetoric from the Trump administration is stoking the fire, including recent statements by U.S. Ambassador to the United Nations Nikki Haley that Iran is violating the nuclear agreement.
- Iran, as a result, is likely to engage in broad-spectrum cyber espionage to alleviate that uncertainty. For example, Operation Cleaver in 2012-14 hit U.S. military targets, as well as systems in critical industries such as energy and utilities, oil and gas, chemicals, airlines and transportation hubs, global telecommunications, healthcare, aerospace, education and the defense industrial base. Earlier this month, reports surfaced of a new Iranian state-sponsored actor—referred to as APT 34—conducting reconnaissance of critical infrastructure in the Middle East.
- While the probing of such essential systems is alarming, it is expected as a contingency plan, should relations with adversaries escalate. The New York Times reported that the U.S. had similar plans – known as Operation Nitro Zeus – to disrupt Iranian critical services should the nuclear negotiations have gone sideways during the Obama administration. It is likely the Trump administration is devising similar contingency plans. Learn more about the contributors here.