Are APT Campaigns Funded By Iran Intensifying
There are two types of APT (Advanced Persistent Threats), the first one is self-funded by the cybercriminal organizations themselves, the other one being funded by state-actors. State-actors are representatives of nation-states, with the goals aligned with the states they are associated with. The publicly accessible Internet is not only the source of news, entertainment, communication tool, and business platform but for purposes that are in the gray area. One such thing is state-funded cyber espionage campaigns, the latest are involved in a recent campaign named MuddyWater leaks while another one tentatively known as Rana Institute.
The MuddyWater leak was claimed to be perpetrated by Green Leakers hacker team. They are selling their “stolen goods” in their dark web portals, they are very careful not to reveal the exact IP address of the hacked servers involved in the sale. This is to help prevent their true owners from knowing that their servers were part of their zombie network, hence the stolen account remains valid. “These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups’ operation in the near future,” explained ClearSky Security Researchers.
Meanwhile, the Rana Institute leak’s purpose is to practically expand the Iranian capabilities in cyber warfare, including malware development and growth of their cross-border cyber espionage capabilities. The goal is to protect the Iranian regime from external influencers and forces that may loosen the grip of its leaders to maintain power within the nation. Iran taps the graduates of their state colleges and universities in Tehran, making them consultants for Information Technology, a very well paid job in the country.
“The objective of this sub-group is hacking, developing malware and attack tools, establishing and maintaining foothold on compromised networks, etc. One other objective is using malwares to identify anyone who poses a threat to the regime such as riot leaders. The members of the group are experts in IT, encryptions algorithms, firmware, malware and virus development. Further, they are fluent in various foreign languages,” added ClearSky Security Researchers.
- Hong Kong
- New Zealand
- Sri Lanka
“The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups’ operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year,” concluded ClearSky Security Researchers.