Iranian government-linked group 'hacking aviation, petrochemical industries' in Saudi Arabia, US

A group of hackers suspected of working for the Iranian government is targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea.
3 min read
20 September, 2017
Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus. [Getty]

A group of hackers suspected of working for the Iranian government is targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea, a cybersecurity firm has warned.

Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran's contested nuclear program. Stuxnet is widely believed to be an American and Israeli creation.

The report by FireEye on Wednesday said suspected Iranian hackers had left behind a new type of malware that could have been used to destroy computes it infected, an echo of two other suspected Iranian cyberattacks targeting Saudi Arabia in 2012 and 2016.

Suspected Iranian hackers long have operated without caring if people found it was them or if there would be consequences, making them incredibly dangerous, said Stuart Davis, a director at one of FireEye’s subsidiaries.

"Today, without any repercussions, a neighbouring country can compromise and wipe out 20 institutions," Davis said.

FireEye refers to the group as APT33, an acronym for "advanced persistent threat." The group used phishing email attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it appear that the messages came from Boeing Co. or defence contractors.

Hackers remained inside the systems for "four to six months" at a time and were able to steal data and leave behind malware that FireEye refers to as Shapeshifter.

The coding contains Farsi references, FireEye said.

Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek.

The programs used in the hacking campaign are popular with Iranian coders while servers were registered via Iranian companies.

One of the hackers appears to have accidentally left his online handle, "xman_1365_x," in part of the code, which "shows up all over Iranian hacker forums," FireEye's John Hultquist said.

"I don't think they're worried about being caught. … They just don't feel like they have to bother."

FireEye's report said it believed APT33 "is likely in search of strategic intelligence capable of benefiting a government or a military sponsor."

One of the email addresses used to register a malicious server belongs to Ali Mehrabian, an investigation by The Associated Press found.

The same address was used to create more than 120 Iranian websites over the past six years.

Neither Mehrabian, who listed himself as living in Tehran, nor "xman" returned emails seeking comment.

Iran is thought to have been behind the spread of the Shamoon virus in 2012 which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas.

The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens.

Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.

Another version of the virus struck Saudi government computers in late 2016, this time displaying a photograph of the body of three-year-old Syrian boy Aylan Kurdi, who drowned fleeing his country's civil war.