Iranian cyberespionage operations are continuing at a steady pace, but so far no reaction has been spotted in response to the January U.S. drone strike that killed Iranian Gen. Qasem Soleimani.
Almost two months has passed since the Jan. 2, 2020 attack, Secureworks is only noting the continuation of previously implemented espionage operations from Iran/ These are primarily targeting governmental organizations in Turkey, Jordan, Iraq along with intergovernmental and other agencies in Georgia and Azerbaijan.
“Most of this activity commenced prior to the U.S. drone strike. Victimology and code similarity between the macros in the analyzed samples and macros documented in open-source reporting suggest that these campaigns were conducted by the COBALT ULSTER threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten), which is tasked by the Iranian government,” Secureworks reported.
That does not mean a cyberattack is not forthcoming. Secureworks noted that setting up a major online effort requires time and Iran is known for using its cyber capabilities to counterstrike its oppenents.
“In some cases, these responses materialized several months after provocations toward Iran occurred. However, Iran’s cyberespionage operations continue,” Secureworks said.
Iran did quickly resort to a military strike launching a missile attack that struck several U.S. bases in Iraq in response to Soleimani’s killing.
With the operations currently underway attackers are using multiple rounds spearphishing attacks to gain entrance to the targeted systems. In some cases studied by researchers the emails contained links to malicious websites that allow the hacking groups to track their targets. In other attacks the email had a malicious spreadsheet attached that was socially engineered to match the subject line of the email to encourage the recipient to click.
Opening and enabling the attachment launches the embedded malicious VBScript which disables the machine’s security controls.
Several payloads are then downloaded from an IP address hard-coded in the script.
Another attack viewed by Secureworks saw the attackers again using a spearphishing attack, but this time the malicious code was hidden inside an attached zip file storing a malicious Excel file that required the victim to activate a macro. In this case a new a previously unobserved RAT Securework’s researchers refer to as ForeLord is dropped and executed.