May 14, 2018 • Amanda McKeon
For the past six month or so, researchers in Recorded Future’s Insikt Group have been dissecting the structure of cyber operations groups within the Islamic Republic of Iran. In recent years that nation has regularly used offensive cyber campaigns in response to sanctions or other provocations. On May 8, 2018, President Trump announced the U.S. will withdraw from the Iran nuclear deal, leading to concerns that Iran is likely to respond with cyberattacks on Western businesses.
Levi Gundert joins us once again to provide context to the situation. He’s one of the authors of a newly published report from Recorded Future, titled, “Iran’s Hacker Hierarchy Exposed.” The report describes a culture of distrust and a tension between the desire for technical capabilities versus religiosity.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello, everyone. Thanks for joining us for episode 56 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
For the past six months or so, researchers in Recorded Future’s Insikt Group have been dissecting the structure of cyber operations groups within the Islamic Republic of Iran. In recent years, that nation has regularly used offensive cyber campaigns in response to sanctions or other provocations. On May 8, 2018, President Trump announced the U.S. will withdraw from the nuclear deal, leading to concerns that Iran is likely to respond with cyberattacks on Western businesses.
Levi Gundert joins us once again to provide context to this situation. He’s one of the authors of a newly published report from Recorded Future, titled “Iran’s Hacker Hierarchy Exposed.”
A program note: We recorded this segment just a few days before President Trump’s decision on the Iran nuclear deal was announced. Stay with us.
We’ve been doing research on Iran and the cyber domain for the last six months or so, and obviously, this decision point with President Trump and whether he will stay in the Iran nuclear deal or exit has pretty serious implications for Western businesses. And so, the research is talking a little bit about the structure of how Iran cyber operations work internally, and also talking about some of the proxies, some of the contractors that get used in offensive cyber operations, and why — depending on how this goes, if Trump decides to exit the nuclear deal — why Western businesses and American businesses, specifically, should probably be very mindful of offensive campaigns coming out of Iran in the near future.
We’ve see that historically, there’s a pattern. In 2012, after the Obama administration sanctioned Iran and actually cut off funding from the SWIFT payment network, there were reprisals that happened relatively quickly in the form of denial-of-service attacks against over 40 financial services companies, and they were pretty large denial-of-service attacks at the time. And then, if you fast-forward a couple of years to 2013, at the end of 2013, Sheldon Adelson had made some remarks that were very derogatory about Iran. They subsequently attacked the Sands Corporation with a wiper attack, attempting to destroy data in the network for Sands.
And so, those sort of attacks were very different, but they were sort of knee-jerk responses to something that occurred that affected Iran on a … I guess you’d say, on a geopolitical level. And that’s very different from some of the APT 33, 34, 35 type of attacks which are much more methodical, use different types of malware, and have sort of long-term intelligence objectives. And so, we kind of dissect the differences there and why American businesses in particular should be very wary if Trump does decide to exit this nuclear agreement.
So, I think there’s a lot of table-setting that we need to do here. There’s a lot of history when it comes to Iran and how they deal with their cyber capabilities, the people that they work with, and some of the background there. Can you take us through how we got to the point where we are today?
Sure. So, it is very interesting because I think Iran operates in a different space from any other country that has offensive cyber operations in an organized way. And obviously, there are many countries bringing those online. But Iran has serious capabilities, and they may not be as sophisticated as Russia or China, or the United States, for that matter. But they’re certainly very capable.
And what’s interesting about Iran is, obviously, in 1979, you have the Persian monarchy and the Shah are removed from power, and that power then moves into a theocracy. And what’s interesting about that is, Iran generally sort of operates in this space where there’s not a lot of trust, and there’s a sort of deep-seated paranoia. I think that after what we saw in 2005 through 2010, with Stuxnet and the damage that it did internally to the Iranian nuclear program and the assassination of some of their scientists internally, within Iran, I think that has just bred a lot of deep-seated mistrust all the way around.
And so, it’s interesting because we interviewed an Iranian hacker that was in Iran and he obviously knows a lot of folks in Iran, and he ran a security forum. So, a lot of the information he provided was very illuminative in terms of how things work in Iran and this deep-seated paranoia.
And so, when it comes to cyber operations, specifically in that domain, what they tend to do is really segment out tasking. So, there will be one group that’s tasked with writing an exploit, and there’s another group tasked with actually using that exploit to gain persistence in an adversary’s network. But what’s interesting is that they sort of use a contractor system where the contractors only get paid after they perform the work successfully.
There’s this sort of tension, or trade-off, between contractors, whether they be individuals or groups of individuals. Do they sort of toe the line in terms of the religious philosophy and the ideology within Iran, or do they just sort of do enough to get the job as a contractor? Because most of the folks in Iran — according to our source — that have real skill sets in terms of offensive cyber capabilities, are the younger generation. And the younger generation tends to be much more motivated by financial paydays. They’re not as motivated by the ideology of the country and the regime.
And so, there’s sort of this tension between, “Do we hire and use contractors that we know don’t really care about our ideology? Do we just hire the best, regardless?” And so, what we’ve been told by our source is that in Iran, the ideology comes first. But what’s interesting is that sometimes, when you want to send a message — in the case of Operation Ababil, which happened in 2012 in response to sanctions, or in the case of the Sands Corporation — sometimes the government, or the IRGC, may make the decision to use contractors who are the most able and best equipped to perform an attack, even if they’re not necessarily the most ideologically aligned with the Iranian government.
I think that’s what kind of makes Iran very special, in that, if you look at other countries, they don’t have the religious component in government, and their issues around trust and traders has less to do with religion and ideology. And so, I think that’s what kind of makes Iran a unique case study.
One of the things that you pointed out in this research is that because of that tension, you kind of end up with a middle-management layer of folks who are in-between the technical people and the government folks, who can sort of play both sides of that. Is that a good way to describe it?
Yeah, that’s a good synopsis of it. So, again, our sources said that within Iran, there are folks … There is a middle-management layer, or tier, that is very trusted because they do adhere to the religious tenets within Iran. There’s a core trust in that group, and it’s uncertain. There’s not a lot of transparency into which individuals or groups, specifically, the Iranian government is tasking.
But tasks are being pushed into that middle tier, that middle layer. And then, from there, they’re responsible for prioritizing and segmenting different tasks and deliverables for the larger mission, and really segmenting, as granularly as possible, to many different contractors so that no one has the whole picture, and really understanding who the best contractors are for each piece of the tasking.
Another thing that you point out is, there’s this sort of ongoing threat of not being paid, that there could be physical punishment as well.
Yeah, absolutely. And that’s what’s interesting. According to our source, what happened during the Green Revolution in 2009 is that there were a lot of these forums that were operating in Iran, and they had different purposes. But with the Green Movement, when there were more attacks against the Iranian government and some of their information, assets, and websites, they essentially issued an edict that they were all to be shut down. A lot of those individuals who were running these forums were imprisoned, and allegedly, some of them were tortured, and many of them ended up working for the Iranian government, subsequently.
But I think that that is a good point — there’s always this mistrust that pervades everything, and just because you’re a contractor that is in good graces with the Iranian government today, doesn’t mean that tomorrow, you’re going to be above suspicion. That could potentially lead to imprisonment and/or torture in Iran.
And so, it’s a very tenuous balance for the folks that have the skills, those that are being paid very well as contractors when they deliver, because I think, again, that mistrust, that paranoia, pervades everything. There’s always the potential that you could be viewed as a traitor that is giving away information to the wrong parties outside of Iran.
So, can you take us through and describe to us, within Iran, what is the cyber ecosystem?
Well, again, we talked a little bit about it in terms of the layers of the structure, of how tasking happens. And we’ve actually seen … There’s very loose associations, and one of the interesting things is that two of the more prominent forums, historically, were Ashiyane and Simorgh. And Ashiyane was, really, the primary hacking forum, or security forum, that survived the Green Party Movement in 2009.
And so, there are very loose associations that are made in terms of those that are forum members who comprise some of the talent, that work for contractors in Iran and carry out some of these offensive cyber campaigns. And in one particular case — we can’t verify it, but our source says that there is one specific individual who is an interesting data point — Hassan Azhari, who was the self-proclaimed Iranian hacker that actually managed and ran Simorgh. That was his forum, and his father was actually employed by the IRGC.
So, there’s sort of loose and tenuous connections between the forums, the contractors, and the Iranian government, but what’s clear is that we’ve certainly seen, over the last decade, many of the Iranian contractors outed. So, ITSec team, Mersad Company. There’s many more than have been outed. There’s Mabna Institute, there’s the Nasser Institute. The FBI has indicted a number of different individuals that have been charged with theft of scientific intellectual property from universities, or been charged in other types of offensive cyber campaigns, like Operation Ababil.
We know, publicly, a lot of these contractors, and we know that this is how they operate. So, the links to hackers within Iranian forums and contractors is a little bit looser, but we also know that there’s only so many people to pull from, in terms of who comprises these contracting groups.
Yeah, and that was my next question. If you have this regime where paranoia is strong, how do you then home-grow people with the skills that you need to be able to do the things you want to do?
Yeah, that’s a great question. I think a lot of this, historically, has been knowledge sharing, and that’s how it started in the beginning. But knowledge sharing among peers only takes you so far. There’s obviously a lot of ways that you can self-educate using the internet as the most critical resource.
But one of the interesting things that our source told us is that there are educational classes on offensive techniques that occur in Turkey, or occur in the United Arab Emirates. It’s not always straightforward … It’s not always obvious that the students are all from Iran. And so, you have some companies from Europe that actually show up and put on classes and training for groups of people, specifically in offensive trade craft.
What do you suppose the range of capabilities are? What should people be worried about?
Well, I think what we’ve seen, historically, is that they’re very capable of launching denial-of-service attacks, they’re very capable of spear phishing campaigns that are well-constructed, and they are capable of developing malicious code sets, specifically, what we’d call “wiper malware.” I think, in the case of the Sands attack in 2014, what we saw was a very swift response that was actually very, very capable. So, they gained access to the Sands network from a satellite location, worked their way back to the main network, and started a destructive attack.
That was 2014, and they have really invested in and developed capabilities since right around 2009, 2010. I think that development continues to accelerate. If you look at the other groups, like APT 33, 34, 35, and what they’ve been involved with and where they’ve been successful — targeting military contractors, targeting Saudi Arabia — there’s a lot of capabilities there. And I think that Western businesses and American businesses, in particular — probably Israeli businesses — should really be careful to follow geopolitical developments, especially with Iran, because they do have this history of retaliating very quickly.
Given what we know about the types of attacks that they implement, what are your recommendations for people to proactively protect themselves?
Well, again, it’s hard. A lot of this is the basic sanitation that we always talk about, Dave. A lot of this is knowing your network better than your adversary, which is an easy thing to say, but actually, it’s a really difficult thing to do — really understanding the ins and outs of your own network.
Again, most of the attacks, historically, have started with some sort of phishing campaign. There’s obviously all kinds of security controls that you can implement around phishing. Making sure that you’re not just looking at what’s making it through your spam and your phishing filters, but looking at what’s not making it through, and doing some analysis there can be very helpful from a threat intelligence perspective.
And then, on the denial-of-service side, making sure that you have a gameplan in place, and if you are subjected to a very well-crafted denial-of-service attack, that you have thought through how you’re going to mitigate that, whether it be at your border routers, or do you have a third-party service in place that can handle and saturate some of those packets? Do you have the relationships with the organizations that you are peers with, in case you need their help in blocking some of those packets?
So, I think a lot of it is just the basic hygiene that we all kind of struggle with, especially when you talk about at the enterprise level.
Our thanks to Levi Gundert for once again joining us.
You can read the full report, “Iran’s Hacker Hierarchy Exposed.” That’s on the Recorded Future website. It’s in their blog section.
If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.