Ajax Security Team lead Iran-based hacking groups

FireEye published a report titled “Operation Saffron Rose” to document the activities of the Iranian hacking group named Ajax Security Team

According to a recent report titled “Operation Saffron Rose” published by cybersecurity company FireEye, a group called the Ajax Security Team is the principal Iranian hacking group, it is responsible for different espionage campaigns on custom-built malicious software.

“This group, which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.

It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. ” states the FireEye Blog post.

The Iranian hacking groups are considered by US a very aggressive threat, they conducted numerous cyber attacks, sabotage and cyber espionage are their principal activities according experts at FireEye.

In one of the recent attacks, the hackers of the Ajax Security Team infected computers of U.S. with spear phishing attacks, the malicious links to an infected bogus website  (aeroconf2014.org) were sent by the attackers via email or social media messages.

According to FireEye the Ajax Security Team has deployed a malware, dubbed “Stealer”, which has the classic features of spyware software, it is able to syphon data, record keystrokes and grab screen shots.

Once collected, the information is encrypted and temporarily stored it on the victim’s machine, later it is sent by Stealer to the C&C server.

The Iranian team known as Ajax Security Team has targeted  U.S. defense companies and also Iranians entities who are trying to elude Government Internet censorship.

Experts at FireEye have collected evidence that Ajax Security Team was also involved in credit card fraud, which suggests the groups of hackers is not directly controlled by the Iranian Government.

It is not the first time that Iranian cyber capabilities are analyzed by western security experts, a study titled “Iran: How a Third Tier Cyber Power Can Still Threaten the United States” published on August 2013 by the Atlantic Council, a NATO organization based in Washington, highlighted that a Iran has sufficient cyber capabilities to attack the US. Security experts are convinced that Iranian state-sponsored hackers are behind a series of DDoS attacks against U.S. banks over the past few years.

“I’ve grown to fear a nation state that would never go toe-to-toe with us in conventional combat that now suddenly finds they can arrest our attention with cyber attacks,” Michael Hayden, former director of the CIA and the National Security Agency, told the Reuters Cybersecurity Summit on Monday.

After the discovery of Stuxnet malware, the number of cyber attacks originated from Iran is increasing rapidly, also cyber capabilities of Iranian hackers have been improved in a significant way.

Who is behind the Ajax Security Team?

According FireEye, the team is composed by hackers known as “HUrr!c4nE!” and “Cair3x,” which were known in the hacking community for defacing websites.

“This is a good example of a phenomenon that we are going to increasingly see with hacker groups in Iran. If their objective is to attack enemies of the revolution and further the government’s objectives, then engaging in cyber espionage is going to have more impact than website defacements,” declared Nart Villeneuve.

FireEye hasn’t provided the name the companies victims of the attacks, but revealed that it is not possible at the time I’m writing to determine what data might have been stolen.

Pierluigi Paganini

(Security Affairs –  Ajax Security Team, cyber espionage, Iran)