Iranian hackers compromised former IDF chief’s computer

According to Israel’s Channel 10 Iranian hackers succeeded in gaining access last year to the computer database of a retired Israeli army chief of staff.

Many reports published by security firms warn of the increasing threat represented by Iranian hackers. US and Israeli organizations represent a privileged target for these hackers, last year they used stolen private pictures of IDF’s women soldiers to breach Israeli military server.

According to a report published by the Israel’s Channel 10, hundreds of Israel’s current and former top security officials have been targeted by Iranian hackers.

The report reveals that Iranian hackers compromised computers of 1800 key figures worldwide, most of them from Israel including a former Israeli Army chief-of-staff.

The report speculated the involvement of the hackers belonging to the Iran’s Revolutionary Guards. Experts at the Israeli security firm Check Point Software Technologies promptly identified and blocked the attacks.

The  Israeli experts also identified one of the Iranian hackers, Yasser Balachi, that accidentally displayed his email ID. Check Point’s head of security services Ron Davidson, confirmed that the man is a member of an organized group.

“Balachi said that he had not operated on his own initiative but for another cyber organization that commissioned the work,” said Ron Davidson.

Yet it is unclear even now what was the actual extent of the damage and what kind of information did they steal.

It is not clear which is the impact of the attack and which information was exposed.

Iranian hackers are becoming even more aggressive, in November computers at the US State Department and other government employees were targeted by them. The experts linked the attackers with the Iranian Revolutionary Guard, according to investigators the Facebook and e-mail accounts of US State Department officials focused on Iran were compromised to gather data about US-Iranian dual citizens in Iran and about the arrest of an Iranian-American businessman in Tehran in October.

The hackers have taken over social media accounts of junior State Department staff to launch a spear phishing campaign on the employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.

Check Point experts confirmed that the Iranian hackers launched spear phishing attacks against their targets with the intent to infect them with spyware.

In December, a report published by Symantec revealed that Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.

The researchers identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.

There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).

In June, experts at Clear Sky spotted a number of cyber-attacks launched from the Iran and targeting Israeli organizations and other entities in the Middle East.

Security experts at ClearSky uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.

The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.

Who is behind the Thamar Reservoir campaign?

According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:

• Attacks conducted using the Gholee malware, which we discovered.
• Attacks reported by Trend Micro in Operation Woolen-Goldfish.
• Attacks conducted by the Ajax Security Team as documented by FireEye.
• Attacks seen during Newscaster as documented by iSight.

No doubts, Iranian hackers will continue to launch cyber espionage campaigns likely with most advanced malware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  cyber espionage, Iranian hackers)

[adrotate banner=”5″]

[adrotate banner=”13″]