Iranian advanced persistent threat (APT) groups have been known to be active throughout the world, but a recent discovery by ClearSky Cyber Security (with support from Dragos) indicates that their reach and ability may have been underestimated. ClearSky researchers uncovered a cyber espionage scheme called Fox Kitten that dates back to 2017, which has seen Iranian hackers quietly gain a persistent foothold in both government and private sector organizations throughout the world. The scheme primarily made use of unpatched VPN vulnerabilities as a point of entrance, and appears to have largely gone undetected until now.
Iran’s ongoing cyber espionage scheme
The Iranian cyber espionage campaign focused on organizations in Israel, but also penetrated targets in at least 10 other countries including the United States and Australia. The attackers gained footholds in IT companies, utility providers, defense contractors, petroleum companies and companies in the aviation industry.
The primary purpose of the campaign was to spy and steal information over an extended period of time. However, the Iranian hackers also left attack infrastructure in place to quickly and effectively distribute damaging malware.
The security researchers at ClearSky named APT33 (Elfin), APT34 (OilRig) and APT39 (Chafer) as the participants. According to FireEye research, APT33 is a more subtle group focused on cyber espionage, mostly going after aviation and petrochemical targets in the US, South Korea and Saudi Arabia. APT34’s activities overlap to a great degree with APT33, but the group is more focused specifically on the Middle East and is infamous for using fake LinkedIn profiles and invitations to pass malware. APT39 is a group that focuses on theft of personal information and casts a broad global net with a focus on telecoms and the travel industry. All of these groups are thought to be based in Iran and state-sponsored.
The groups are also known for taking advantage of new VPN vulnerabilities. The groups do not appear to be developing their own 0-day vulnerabilities so much as they are very quickly deploying “1-day” attacks once new vulnerabilities appear, trying to beat targets to the punch before they can patch them out. ClearSky researchers estimate that the groups begin exploiting new VPN vulnerabilities within as little as a few hours after they become known to the public. After they have compromised a network, these groups appear to be particularly good at covering their tracks and keeping their presence a secret as they exfiltrate information. Once inside they heavily make use of open source tools, such as Invoke the Hash.
The recent wave of VPN vulnerabilities
The Iranian cyber espionage campaign has been exploiting a trend of enterprise VPN vulnerabilities dating back to early 2019, when security researchers found similar flaws in several corporate VPN services and presented their findings at DefCon.
These VPNs – from providers such as Fortinet, Palo Alto Networks and Pulse Secure – are commonly used to allow remote-working employees to access the corporate network through an encrypted connection. VPN vulnerabilities are usually patched fairly quickly after being disclosed, but the Iranian hackers have proven to be unusually adept at exploiting them within these limited windows.
The issue with VPNs is that they are sold as an enhanced security product, and that can lead some organizations and users to view them as infallible. The rash of VPN vulnerabilities in the past year has not been due to problems with the way they encrypt things; it’s the way in which they authenticate users, something that can be addressed with added security measures at the user end.
The threat from Iran
Iran is as active as any world government in the cyber realm. The bulk of the country’s focus is on rivals in the Middle East, but it takes advantage of cyber espionage opportunities throughout the world.
While speculation about a full-on retaliatory cyberwar against the United States earlier in the year failed to turn into anything serious, Iran has stepped up their activity against the West in recent weeks. In addition to exploiting VPN vulnerabilities, APT33 has been implicated in password-spraying attacks directed at the US utility grid and petrochemical companies in the country.
Though it does not appear that the APT33 attacks against the US resulted in any breaches, it is another case in which the hackers are believed to have received support from other state-backed actors in Iran. This is unprecedented, as to this point the Iranian APT groups have only been known to act independently of each other.
Iran’s hackers are seen as a substantial threat, but not quite on the same level as the top-tier squads working out of Russia and North Korea. There may be a need to take them more seriously if they are pooling their resources and coordinating their efforts at the behest of the Iranian government, particularly when any new VPN flaw is found.
The recent Iranian cyber espionage also shows a trend toward increased target organizations in the energy sector around the world. Given that the country’s APT teams have a penchant for deploying damaging “data wiper” malware used to destroy files, and given that the attack infrastructure found in the Fox Kitten campaign was designed to deploy exactly this sort of thing, this could indicate that Iran is shifting to a more aggressive cyber posture.
While the public reveal of the cyber espionage campaign will likely at least slow the Iranian APT groups down somewhat, it should be expected that they will continue to pounce on new opportunities. Security analysts are anticipating that the VPN vulnerabilities discovered in SonicWall’s SRA and SMA products earlier this month are likely to be put into use by this confederation if they have not done so already.