Researchers from the UK firm Clearsky Cyber Security have uncovered a widespread offensive campaign being conducted by Iranian APT groups. The campaign, which involves breaching companies’ VPNs to install backdoors, has been ongoing for several years.
What are APT Groups?
Advanced Persistent Threat (APT) groups are typically nation state or state-sponsored groups. They are stealthy cybercriminal groups that gain unauthorized access to computer networks and stay undetected for an extended period.
APT groups’ motivations are generally political or economic. The aim of APT groups’ attacks is to steal, disrupt or spy on worldwide government organizations and major corporations.
The Iranian Campaign’s Discovery
The Iranian offensive campaign, which has been ongoing for 3 years, was discovered by researchers at Clearsky Cyber Security. Their findings have been detailed in a report that was published yesterday.
According to Clearsky’s report, the Iranian campaign is one of the most lengthy and comprehensive to be discovered thus far. Moreover, not only was the campaign used to install malware at target organizations it developed an entire infrastructure.
This infrastructure was “dedicated to ensuring long-lasting capability to control and fully access the targets chosen by the Iranians.” The report goes on to explain that “The revealed campaign was used as reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman, tied to APT34.”
APT Groups’ Methods
To infiltrate targeted organizations, the attackers exploited unpatched VPN services such as Pulse Secure VPN, Fortinet VPN and Global Protect VPN. Once the attackers managed to access target organizations’ networks, they remained undetected by camouflaging and encrypting their communication with the target networks.
The APT groups then scanned through breached organizations’ networks and critical information storages to find sensitive and valuable information. Any information of interest was then saved by the attackers for “reconnaissance, espionage, or further infection of connected networks.”
Furthermore, after breaching organizations, the attackers created several backdoors with each organization. By creating multiple backdoors, it provided the attackers with secondary access points if one backdoor was discovered and closed.
The Campaign’s Targets
The APT groups have been targeting organizations around the world in the IT, Telecommunication, Oil and Gas, Aviation, Government and Security sectors. The IT sector has been particularly targeted due to its links with many other large organizations.
“Since 2017, we identify Iranian APT groups’ focusing on IT companies that provide wide range of services to thousands of companies. Breaching those IT companies is especially valuable, because through them one can reach the networks of additional companies capability to carry on operations inside the network,” explains the report.