An Iranian hacking group called Ajax Security Team is targeting U.S. defense companies in a cyber-espionage campaign that shows the increasing sophistication of hackers in the Persian Gulf nation, according to researchers at FireEye Inc.
The researchers discovered the campaign, and 77 victims, in the course of analyzing malicious code disguised as anti-censorship tools, according to a report released yesterday. Dubbed Operation Saffron Rose by FireEye, the attacks targeted Iranians who use software to evade the country’s Internet filtering technology as well as defense contractors, the researchers found.
To get at defense contractors, Ajax Team set up a fake site, aeroconf2014.org, that looked almost identical to a legitimate site for the 2014 IEEE Aerospace conference, aeroconf.org. They then emailed employees with an invitation to register at the fake site. Once there, users were asked to install special software to log in — software that was in fact a malicious program to allow the hackers into their computers. The researchers linked the fake conference site to the campaign targeting users of anti-censorship tools through a shared Internet address.
Ajax Team dates back to 2009, when it first appeared on popular Iranian hacking forums. Its activities focused on website defacements at first and so-called “denial of service” attacks, when hackers flood a site with traffic to overload it and force it out of service for a period of time, according to FireEye.
The group’s latest campaign shows much greater sophistication than its previous work, according to the researchers. There’s not enough evidence to say that Ajax Team is now working directly for the Iranian government or military — the FireEye report leaves it as probably “state encouraged.”
The group’s new focus suggests an evolution similar to the Chinese hacking community, from patriotic website defacements and the like into more skilled and targeted cyber-spying, with potentially greater consequences in terms of network damage and theft of sensitive information.
“We believe that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term,” the report concludes.
Bottom line: Iranian hackers are becoming more of a threat.
