Hackers in Iran are going with the flow of technological innovation as they themselves have advanced and evolved their capabilities and objectives, based on a recent report by security firm FireEye.
FireEye has revealed the brief findings of the report dubbed as Operation Saffron Rose in a blog post on May 13.
"We believe we're seeing an evolution and development in Iranian-based cyber activity," the company says in its full report [pdf].
If in the past years Iranian hackers were largely dedicated to defacing websites and administering DDoS attacks for political reasons, suspected Iranian hackers are said to have used Shamoon virus to destroy data from thousands of computers and have penetrated as well the Navy Marine Corps Intranet (NMCI) used worldwide by US Navy, the Saffron report reveals.
The FireEye report primary records and identifies the activities of Ajax Security Team, an Iran-based hacking group that targets both the US defense organizations and similarly those Iran-based companies using anti-censorship tools that avoid Internet censorship regulations in Iran.
A recent case was Ajax's effort to send emails and social media messages to participants of the IEEE Aerospace Conference, which in turn directed them to a bogus website dubbed as aerconf2014.org that was infected with a malicious software.
FireEye's report discloses that Ajax has its origins in famous hacker forums in Iran such as Shabgard and Ashiyane. Since 2010, the group has been involved in defacing websites, but of late has moved to espionage through the use of malware. They are believed to use a methodology that is coherent with other progressive threats found in the region.
The Saffron Rose report states that it remains unclear if Ajax Security Team is a part of a bigger coordinated effort or is operating in isolation. FireEye says it has not observed any use of exploits to infect victims, though the group used exploit code in the past to administer website defacement activities.
Ajax group is also said to use malware tools that are not available in public, for instance is one called "Stealer" that collects data from compromised computers, records keystrokes, grabs screen captures and steals data from email accounts and web browsers.
"We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets' machines for longer-term initiatives," Nart Villeneuve, FireEye's senior threat intelligence researcher, says in a statement.
FireEye states that the objectives of Ajax team are apparently consistent with the efforts of Iranian government to control political opposition and to expand its offensive cyber capabilities, without discounting the possibility that it may be engaging in traditional crime as well.
"The increased politicization of the Ajax Security Team, and the transition from nuisance defacements to operations against internal dissidents and foreign targets, coincides with moves by Iran aimed at increasing offensive cyber capabilities," the report says.
Nevertheless, the FireEye's Operation Saffron Rose report emphasizes that it remains unknown if there's any possible link between Ajax Security Team and Iranian government, even if the activities of both actors seem to align with each other. Similarly unclear are the further capabilities of Ajax, though the security confirms that the group's current activities are somehow successful. If Ajax continues with the existing pace of its operations, FireEye assesses that the former's capabilities will improve in the mid-term.
