Researchers on Wednesday reported on a highly targeted cyber espionage campaign sponsored by the Iranians that has targeted global aerospace and telecommunications companies in the Middle East, Russia, Europe, and the United States.
In a blog post, Cybereason said the newly discovered Iranian threat actor — MalKamak — has been operating since at least 2018 and remained unknown until today. Operation GhostShell was said to have used attack tools to perform various espionage activities on the targeted networks, including reconnaissance, lateral movement, and the collection and exfiltration of sensitive data.
The researchers said the investigation draws possible connections to other Iranian state-sponsored threat actors, including Chafer APT (APT39) and Agrius APT. This report follows the August publication by Cybereason of the DeadRinger Report that uncovered multiple Chinese APT campaigns targeting telecoms.
According to the researchers, the still-active Operation GhostShell campaign leverages a very sophisticated and previously undiscovered remote access trojan (RAT) called ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service DropBox for command and control.
“Anytime threat actors evade detection for more than three years, the impact to companies is devastating,” said Assaf Dahan, senior director, head of threat research at Cybereason.
Dahan said if Cybereason wasn’t brought in to investigate a suspicious activity in July 2021, MalKamak would likely still be operating in stealth mode. Overall, Dahan recommends that security practitioners, and specifically those working for aerospace-telecom companies carefully study the report. Cybereason also provided the indicators of compromise and highly contextualized behavioral data that security teams can use to detect sophisticated attacks and evasive threat actors in the future.
Dahan could not disclose the names of the companies attacked and how much damage MalKamak caused, although he did say that it’s possible that “hundreds of terabytes” of business-critical data have been exfiltrated. When asked about how the attackers abused DropBox, he offered this statement:
“Let me be very clear, the attackers didn’t exploit any DropBox vulnerability,” Dahan said. “They simply created accounts and used them for command and control purposes. The ShellClient RAT would poll the account every two minutes or so to check whether new instructions were left at a certain folder by the attackers. The output of these commands and the stolen data would then be exfiltrated to the same DropBox account. This is a very clever way to hide in plain sight, since DropBox is a trusted brand — and traffic to a legitimate site usually will not raise suspicions of certain security products and analysts."
The aerospace and telecommunications sectors are likely of high importance to the Iranian state, with APT39 previously attributed to several attacks against similar targets within the Middle East, said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. Morgan said obtaining sensitive information related to these sectors from regional adversaries could provide Iran with a strategic advantage, which was likely the overall goal of the GhostShell campaign.
“DropBox is a frequent target for threat actors primarily due to the popularity of the system and the potential value of stored data,” Morgan said. “DropBox does offer some significant security features — including strong encryption and use of two-factor authentication — but ultimately those options are not mandated to users. As a result, poorly secured accounts can often find the service being targeted by malicious actors.”
Tim Wade, technical director of the CTO Team at Vectra, said sidestepping whether or not DropBox was an authorized cloud storage service in the target organizations, this may serve as another example of risks presented by shadow IT generally as cloud services continue to provide covert communication or exfiltration channels for adversaries.
“Absent advanced detection capabilities, it can be very difficult from the standpoint from a defender to determine if the communication is malicious or benign,” Wade said. “For this reason, good IT hygiene and visibility are themselves an often underutilized form of risk reduction.”
Archie Agarwal, founder and CEO at ThreatModeler, said the sophistication of this previously unknown RAT coupled with the obfuscation techniques and command-and-control channel via a well-known online service to blend in with normal network traffic demonstrates a level of expertise usually reserved for state-supported operators.
“The fact that critical industrial niches were targeted in specific geographic regions such as aerospace and telecoms reinforces this assumption,” Agarwal said. “As the report suggests, similarities with previously known Iranian operational activities has lent credence to the suspicion this is of Iranian origin, however, attribution is difficult in a world full of false flag operations.”
Saryu Nayyar, CEO at Gurucul, explained that the GhostShell attack allowed hackers to get into a system, elevate privileges on that system, and move between systems on a network.
“After that, what it can do on the network could be practically anything,” Nayyar said. “This type of attack shows the persistence of hackers and their ability to infect enterprise networks. While the endgame is unclear, it likely has to do with ransomware. Enterprises need to be able to identify anomalous behavior on their network and cut off such trojans before they do serious harm to applications and data.”