Iranian cyberespionage operations are continuing at a steady pace, but so far no reaction has been spotted in response to the January U.S. drone strike that killed Iranian Gen. Qasem Soleimani.
Almost two months has passed since the Jan. 2, 2020 attack, Secureworks is only noting the continuation of previously implemented espionage operations from Iran/ These are primarily targeting governmental organizations in Turkey, Jordan, Iraq along with intergovernmental and other agencies in Georgia and Azerbaijan.
“Most of
this activity commenced prior to the U.S. drone strike. Victimology and code
similarity between the macros in the analyzed samples and macros documented in
open-source reporting suggest that these campaigns were conducted by the COBALT
ULSTER threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and
Static Kitten), which is tasked by the Iranian government,” Secureworks reported.
That does
not mean a cyberattack is not forthcoming. Secureworks noted that setting up a
major online effort requires time and Iran is known for using its cyber
capabilities to counterstrike its oppenents.
“In some
cases, these responses materialized several months after provocations toward
Iran occurred. However, Iran’s cyberespionage operations continue,” Secureworks
said.
Iran did
quickly resort to a military strike launching a missile attack that struck
several U.S. bases in Iraq in response to Soleimani’s killing.
With the operations currently underway attackers are using multiple rounds spearphishing attacks to gain entrance to the targeted systems. In some cases studied by researchers the emails contained links to malicious websites that allow the hacking groups to track their targets. In other attacks the email had a malicious spreadsheet attached that was socially engineered to match the subject line of the email to encourage the recipient to click.
Opening and enabling the attachment launches the embedded malicious VBScript which disables the machine’s security controls.
Several payloads
are then downloaded from an IP address hard-coded in the script.
Another
attack viewed by Secureworks saw the attackers again using a spearphishing
attack, but this time the malicious code was hidden inside an attached zip file
storing a malicious Excel file that required the victim to activate a macro. In
this case a new a previously unobserved RAT Securework’s researchers refer to
as ForeLord is dropped and executed.
