So far, we have looked at 2 very different Iranian hacker groups that operated in very different ways. Today, we are continuing our quick overview of the most likely Iranian hacker threats that you may face in the next few weeks. This group operates primarily in the Middle East, but it’s important to look at how they operate for three reasons: First, this group is extremely good at manipulating people, and they have displayed advanced skills in social media manipulation. Second, you may have operations or personnel in the Middle East and you really need to watch out for this group. Third, it’s important to know how all of these threat groups operate in case they decide to start operations here in the U.S.
Quick recap from previous posts:
The Iranian government has continued to escalate their cyber-attack operations and will continue their attacks in the very near future.
So, how does a mid-sized company shore up their defenses quickly to counter the threat? There are two things that you need to do.
First, you need to understand the threat. Why is this important? If you understand what the threat is, you’ll have a much better chance of countering their Tactics, Techniques, and Procedures (TTPs).
Second, you need to understand your own vulnerabilities. If you know what the threats are, and you know whether you are susceptible or vulnerable to the types of TTPs that that are being used, then you can take decisive action.
Please click on the link to check out previous blog posts about APT 33 and APT 34.
Today’s focus is on an Iranian cyber threat group that is known to manipulate people through social media. This is hard to defend against, but there are some measures that you can take.
The Threat – APT 35
The group that we are going to look at today has been given many different designations, because it took a while for investigators to realize that this was actually one group. Designations include Magic Hound, Rocket Kitten, Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish, Newscaster, Cobalt Gypsy, and APT35. For simplicity’s sake, we’re going to use the APT 35 designation.
APT 35 uses very different initial tactics than APT 33 and APT 34, and they have been very successful in their target area. APT 35 spends a lot of time building up campaigns, and their targets are very specifically selected. Social engineering through social media platforms seems to be a large part of their Tactics, Techniques, and Procedures (TTP). Let’s look at an example.
According to a SecureWorks report, APT 35 created a fake persona named Mia Ash and spent over a year creating LinkedIn, Facebook, and WhatsApp accounts, as well as a fairly robust blog. “Mia” was set up as a photographer and appeared to be legitimate due to the amount of information that was posted.
The group was looking for ways to target very specific people in organizations, so they set up this persona as someone young, inquisitive, and innocuous.
Initially, “Mia” would make contact with her targets on LinkedIn with the ruse that she was part of a photography exercise to reach out to people across the world. Once contact was made, “Mia” would spend several days chatting with the intended victim to lend credence to her authenticity.
“Mia” would then ask to connect on Facebook, WhatsApp and through email. After establishing other contact methods, she would ask her victims to do a quick survey and send them a file named “Copy of Photography Survey.xlsm.” This survey would appear to not function properly on a home computer, so Mia would encourage the intended victim to open the email at work using their corporate email account so the survey would function properly. The survey contained macros that downloaded a Remote Access Trojan (RAT), which gave the group access to the business network.
This is just one example of the personas that this group uses. It is a very long, slow way to gain access to computer networks, but it is highly effective and can be used against very specific targets. Using this tactic, the group was able to infiltrate business networks at a much higher access level. This is very hard to defend against, but there are a few things that you can do.
Three things that you can do right now
First, Raise your organization’s security awareness level. I know that I said this in the previous 2 posts, but have you done it yet? If not, do it now. Your entire organization needs to know that there is a serious, credible threat, and they all need to be on high alert. Do it now.
Second, Train EVERYONE in your organization on social engineering, and how to avoid being a victim. Even if you did training last quarter, use this as a good opportunity to Raise the security awareness level, and Train everyone again. This threat actor is known to target medium to higher level technical experts who would have higher level access on the computer networks, so make sure that those people are highly trained to recognize social engineering attacks.
Third, if you don’t already have one, implement a system where people in your organization can report suspected social engineering or phishing attacks. If you do have a system in place, advertise it loudly right now.
Let everyone in your organization know that there is a threat, train them on how to recognize attempts, and then get them to report suspicious activity quickly. Even if they were the bozo that clicked on the link and exposed the network, it is MUCH better for the organization if they come clean early so that things can be fixed. Find a way to encourage reporting instead of discouraging it due to fear of reprisal.
Tomorrow, we will take a look at some of the tools that these groups are using, and how you can protect yourself.
We can help!
Feel free to reach out anytime if you have questions, or need more information. Red Trident Inc has a full team of IT and ICS cyber security professionals that can do everything from vulnerability and compliance assessments to comprehensive cyber security program development.
- We have actual military-grade intelligence analysts on our staff that can help you weather the storm.
- We have CSOC services that can help you monitor, detect, contain, and remediate across your IT and ICS networks.
- Most importantly, we have all worked in the plants and know what you’re up against.
- Red Trident is based out of Houston, Texas (the energy capital of the world), but we offer services all over the United States.
MITRE ATT&CK Group (2019, October 15). MagicHound. https://attack.mitre.org/groups/G0059/
Counter Threat Unit Research Team (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets https://www.secureworks.com/research/the-curious-case-of-mia-ash