search

Iran suspected behind cyberattack on Mideast aerospace, telecom firms

Cybereason firm says MalKamak group used Dropbox to issue commands to its Trojan; findings show similarities to previous known Iran-backed hacks

Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)
Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)

Security researchers on Wednesday published a report tying cyberattacks on a number of aerospace and telecommunications companies, mainly in the Middle East, to Iranian state-sponsored groups.

MalKamak, a cyberespionage group believed to be tied to other known Iranian government-sponsored groups such as Chafer APT (also known as APT39 or Remix Kitten), was responsible for the recent hack attack, US-Israeli cybersecurity firm Cybereason reported.

The company did not name specific victims, but said they mainly included a “select few” companies in the Middle East, with others in the US, Europe and Russia. Though Israel was not mentioned, Israel’s Channel 12 news reported that Israeli companies were among the list of targets in the Middle East, without providing a source or details.

According to Cybereason, the end goal of the hack was the theft of information about their infrastructure, technology, and critical assets.

The Iranian group used a remote access Trojan called ShellClient, which had been in use since at least 2018, to obtain information from the companies. Cybereason said the threat was still active as of September.

The Trojan itself is controlled via the Dropbox file-sharing platform, which apparently made it difficult to detect.

Dropbox is a web-based file hosting service. (sematadesign/iStock Photo by Getty Images)

Commands are sent to the Trojan, which is disguised as a legitimate Microsoft program, to first set it up and identify system information and what antivirus software is installed.

Then, still using Dropbox, the hackers send another set of commands to change the Trojan into a persistent program on the victim’s computer, with administrator privileges.

Cybereason said its team compared its observations with previous campaigns that were attributed to known Iranian actors, “and was able to point out some interesting similarities between ShellClient and previously reported Iranian malware and threat actors.”

Numerous suspected Iranian cyberattacks on Israel were reported in recent years, including one that targeted its water infrastructure in 2020.

Israel and Iran have been engaged in a years-long shadow war, with Israel allegedly directing most of its efforts – including multiple suspected cyberattacks — at sabotaging the Islamic Republic’s nuclear program.

read more:
comments
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed