Category: Iran

Iran-Based Hackers Indicted in March Cyberattack on Atlanta

A U.S. grand jury indicted two Iranian nationals over claims they carried out a March ransomware attack against the city of Atlanta, crippling its computer systems and causing millions of dollars in losses. Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri used ransomware known as SamSam to infect about 3,789 servers and workstations in Atlanta, the Justice Department said.

The two men, who operated from Iran, were also indicted last week by a federal grand jury in Newark, New Jersey, for a “34-month-long international computer hacking and extortion scheme,” according to the Justice Department.

Read more about the new charges against the Iranian hackers on Bloomberg.

2019 Security And Defence Predictions

It’s the time of the year for cybersecurity predictions. This time, Suzanne Spaulding, former DHS Under Secretary and Nozomi Networks advisor believes that in 2019, provides her insights.

The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could shift. When it comes to nation state threats on U.S. critical infrastructure, we think of four key actors: Russia, China, Iran and North Korea. Each country has been held back from attacking the U.S. for different reasons. Think about a graph with an x and y axis. The x axis represents capabilities and the y axis represents destructive intent. At the moment, Russia and China have the highest capabilities, but they fall lower on the scale of destructive intent.

Read more about Suzanne Spaulding’s predictions and learn why she believes hackers from Russia, China, North Korea or Iran may launch a critical infrastructure attack on the US in 2019, on Information Security Buzz.

Federal Indictments in SamSam Ransomware Campaign

Two men — Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran — have been indicted in a criminal conspiracy around the creation and distribution of the SamSam ransomware campaign. The indictment, unsealed today, was handed down by a federal grand jury in New Jersey.

According to the six-count indictment, Savandi and Mansouri hit more than 200 victims, mostly in the government, critical infrastructure, and healthcare sectors. The victims included the City of Atlanta; the City of Newark, N.J.; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta; and six health care-related entities.

Read more about the indictments in the SamSam campaign on DarkReading.

Meaner, more violent Stuxnet variant reportedly hit Iran

Stuxnet allegedly has a vicious little brother, or perhaps it is a malicious cousin; the complex malware was likened to being similar to Stuxnet but “more violent, more advanced and more sophisticated.” Iran, according to the Times of Israel, admitted that its “infrastructure and strategic networks” were hit by a meaner, leaner version of Stuxnet. A TV news report added that the Iranians are “not admitting […] how much damage has been caused.”

The report came after Iranian Supreme Leader Ayatollah Khamenei said Iran needed to step up efforts to fight enemy “infiltration.” Reuters also reported that Gholamreza Jalali, the head of Iran’s civil defense agency, said, “Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems.” Jalali didn’t go into more detail.

Read more about this story on CSO.

Unconfirmed Reports: New Cyber Attacks Hitting Iran

This report highlights that all should be prepared when major geopolitical events occur. Attacks, actions and re-actions in the phyiscal world are known to directly result in actions in cyberspace. We should also point out that when big players like nations attack each other companies and even individuals can at times get caught up in the cross fire. It pays to keep thinking through how to raise your defenses.


Tehran strategic networks attacked, Hadashot TV says, hours after Israel revealed it tipped off Denmark about Iran murder plot, and days after Rouhani’s phone was found bugged

Iranian infrastructure and strategic networks have come under attack in the last few days by a computer virus similar to Stuxnet but “more violent, more advanced and more sophisticated,” and Israeli officials are refusing to discuss what role, if any, they may have had in the operation, an Israeli TV report said Wednesday.

The report came hours after Israel said its Mossad intelligence agency had thwarted an Iranian murder plot in Denmark, and two days after Iran acknowledged that President Hassan Rouhani’s mobile phone had been bugged. It also follows a string of Israeli intelligence coups against Iran, including the extraction from Tehran in January by the Mossad of the contents of a vast archive documenting Iran’s nuclear weapons program, and the detailing by Prime Minister Benjamin Netanyahu at the UN in September of other alleged Iranian nuclear and missile assets inside Iran, in Syria and in Lebanon.


Our recommendation: Raise your defenses, you don’t want to get caught in the cross fire on this one. Learn our latest best practices by reviewing the action plans on our Strategy Page.


These are the hackers targeting the US midterm election

The intelligence community and cybersecurity experts are in lockstep agreement that elections in the U.S. remain vulnerable to hacking and influence campaigns, like efforts deployed by Russia in 2016. But they warn that the threat from a broader range of diverse actors is also growing, posing a unique challenge for governments and corporations around the world.

These cyber-attackers are driven by a variety of motivations, says Andrea Little Limbago, the chief social scientist at data security firm Endgame. “As long as attackers find it in their best interests or find the motivation to want to have some sort of effect … they’re going to think about what they could do with that access,” she says. “Especially China, Russia, and Iran.”

Read more about the hackers targeting the US midterm election on CBS.

Cyber defence: We’ll hack back at attackers, says US

The military must be prepared to disrupt hacking attacks before they reach US computer networks, according to a new strategic vision from the Pentagon. The Department of Defence (DoD) has updated its cyber strategy for the first time since 2015, advocating a more aggressive approach than the previous document.

Perhaps most controversially, under the new strategy the US should be ready to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict”.

Read more about the more aggressive cyber strategy adopted by the US Department of Defence and the implications thereof, on ZDNet.

‘Domestic Kitten’ Mobile Spyware Campaign Aims at Iranian Targets

A mobile spyware campaign against mainly Iranian citizens has been spotted. The operation is dubbed Domestic Kitten by Check Point researchers — “kitten” to follow common APT nomenclature for Iranian groups and “domestic” because they believe the group is affiliated with the Iranian government, targeting Iranian citizens.

The campaign mainly targets ISIS supporters and members of the Kurdish ethnic group residing with Iran — two groups that Tehran regards as hostile to its interests. The threat actor takes a watering-hole approach, using carefully crafted fake Android apps to attract victims of interest.

Read more about the Domestic Kitten spyware campaign on Threatpost.

Iran-Supported Influence Operations Bigger Than We Thought

Reuters is reporting that the Iranian influence operations targeting internet users worldwide are much larger than previously thought.

We have all been watching revelations on the threat. As background see:

Reuters has now identified a sprawling network of anonymous websites and social media accounts (Facebook, Instagram, Twitter, YouTube) in 11 different languages. Focus of the apparatus is to push content from Iranian state media and other outlets in ways that obscure the original source of the information.

For more see: Reuters.

What do you need to know about this threat? As always you should consider the business impact of threats like this and what it could mean if your organization becomes either targeted by information operations from a significant propaganda capability like this or perhaps becomes collateral damage due to actions of threat actors like these.

We recommend investing time and ensuring you have a focused program to monitor mentions of your organization in social media, and be prepared to mount a truth-based defense if slandered. It is also critically important to track the nature of this evolving threat.

For more best practices see:


Following Facebook and Twitter, Google Targets Iranian Influence Operation

In the wake of influence-campaign takedowns by Facebook and Twitter, Google has issued a report detailing its own efforts to root out foreign influence operatives allegedly tied to an Iranian state-run media broadcaster. The news comes as President Donald Trump appeared to tweet in opposition to the efforts of the tech behemoths to disrupt such campaigns.

As part of the influence operation allegedly tied to the Iranian government, Google disabled 39 YouTube channels that had 13,466 total US views on relevant videos; six blogs on Blogger and 13 Google+ accounts, according to Kent Walker, senior vice president of global affairs.

Read more about Google’s efforts to root out foreign influence operatives allegedly tied to the Iranian government, on Threatpost.