An Israeli cybersecurity company details how Iranian actors are running an operation to steal information from targets around Israel. By ZEV STUB OCTOBER 6, 2021 JERUSALEM POST –
Iranian threat actors are running a highly-targeted cyber-espionage operation against global aerospace and telecommunications companies, stealing sensitive information from targets around Israel and the Middle East, as well as in the United States, Russia, and Europe, according to a report published Wednesday by Israeli cybersecurity company Cybereason.
Cybereason identified the previously unknown state actor, dubbed MalKamak, running a sophisticated new form of malware that was previously unknown, during an incident response call for one of its clients, said Assaf Dahan, head of the cyber threat research group at Cybereason.
The campaign has been running since at least 2018, and has likely succeeded in gathering large amounts of data from carefully chosen targets, Dahan said.
“The investigation began after Cybereason’s Incident Response Research Team was called in to assist one of the attacked companies,” Dahan said. “During the incident and after installing our technology on the organization’s computers, we identified sophisticated and new damage that has yet to be seen or documented. Deep investigative work found that this is just one part of an entire Iranian intelligence campaign that has been conducted in secret and under the radar for the past three years. From the few traces left behind by the attackers, it is clear that they acted carefully and selected their victims thoroughly. This is a sophisticated Iranian attacker who acted professionally according to a considered and calculated strategy. The potential risk inherent in such an assault campaign is large and significant for the State of Israel and may pose a real threat.”
“This was a very sophisticated operation that has all the hallmarks of a state-sponsored attack,” Dahan said. “While other Iranian groups are involved with more destructive acts, this one is focused on gathering information. The fact that they were able to stay under the radar for three years shows their level of sophistication. We assess that they have been able to exfiltrate large amounts of data over the years- gigabytes, or even terabytes. We don’t know how many victims there were before 2018.”
Affected organizations and relevant security officials had been updated by it on the attack, but the extent of the actual damage caused has not yet been clarified, Cybereason said.
The campaign leverages a very sophisticated and previously undiscovered Remote Access Trojan (RAT) dubbed ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service Dropbox for command and control (C2), the report said. The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect.
“The malware has evolved a lot over the years,” Dahan noted. “In 2018, the code was very simple, but it has become very sophisticated. Earlier this year, the group abandoned its old server infrastructure and replaced it with Dropbox file hosting, a simple way to hide it within plain sight. In recent years, we are seeing that more cyber threat actors abuse different cloud services like Google Drive, Dropbox and Github, as they provide the perfect camouflage. Although once we know what we are looking for, it makes it easier to uncover other things.”
Using the ShellClient RAT, the threat actor also deployed additional attack tools to perform various espionage activities on the targeted networks including additional reconnaissance, lateral movement in the environment, and the collection and exfiltration of sensitive data.
The threat, which is still active, has been predominantly observed in the Middle East region but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries.
The investigation reveals possible connections to several Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT, the report said. This follows the August publication of the DeadRinger Report by Cybereason that similarly uncovered multiple Chinese APT campaigns targeting telecommunications providers.