The growing tension between the United States and Iran has been brought into the cyberspace, and the tech world has become the new frontier of warfare between the two countries — when the United States has decided to carry out a cyberattack that has taken over Iran’s missile launching system a month ago.
So far, no counterattack was made by Iran against the United States, and it’s partly because Iran knows that attacking the U.S. tech infrastructure is hard and perilous. Iran reportedly said that a cyberattack against the US “might be akin to throwing rocks at a tank,” and fighting against the main infrastructure of the global superpower may be something the small Middle East nation can’t carry out.
But Iran’s counterattack doesn’t have to target the Pentagon; they can shift their focus in targeting U.S. corporate tech infrastructure and solicit the same effect as well. In fact, they might have just done it.
Recent research conducted by the cybersecurity firm Fire Eye has flagged a suspected cyber attack from Iranian threat actors that uses LinkedIn to target potential business and political victims to “fill this gap by conducting espionage against decision-makers and key organizations that may have information that furthers Iran’s economic and national security goals.”
Fire Eye details that the new wave of cyberattacks works by “Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents” and the attackers are using LinkedIn to distribute the said malicious documents.
“With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns,” the researchers said.
Additionally, the researchers have found three new additions to the Iran-linked malware family called APT34. FireEye was able to thwart a potential attack that has seen the reemergence of PICKPOCKET, a malware exclusively observed in use by APT34. These new malware show how APT34 is relying on their PowerShell development capabilities, as well as trying their hand at Golang.
“APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014. They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. APT34 aligns with elements of activity reported as OilRig and Greenbug, by various security researchers,” explains the researchers.
The attackers are said to target three industries: Energy and Utilities, Government, Oil, and Gas. It makes sense that the researchers are attributing this attack as Iran’s counter-cyberattack against users as it indeed targets U.S. decision-makers and could potentially impact the country’s economy.
As mentioned earlier, the attackers are posing as Cambridge University officials and are sending targets with malicious MS Excel files that contain the malware detailed above. When the researchers reached out the impacted company’s security team, they have confirmed that the malicious MS Excel file was sent via a LinkedIn message.
The LinkedIn message that was supposedly sent by a certain “Rebecca Watts,” allegedly employed as “Research Staff at University of Cambridge,” who solicit for resumes as their organization has job openings to offer.
Researchers noted that this is not the first time they have seen the job opportunity ruse to be used in a cyber attack. “These conversations often take place on social media platforms, which can be an effective delivery mechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions,” they said.
The attackers were said to have employed a “tried-and-true techniques to breach targeted organizations.” With the help of Fire Eye and their security team, the potential attacks have been stopped; however, they said that there is a high likelihood that the threat actors will not end their phishing campaigns here.
“We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security,” added the security researchers from Fire Eye.