In a report that documents the activities of the Iranian Ajax Security Team, FireEye contends that Iran-based hacker groups are becoming increasingly more sophisticated in their attacks and could mirror the evolution of elite Chinese hacking organizations to become a hacking superpower.

While FireEye stops short of making a connection between the hackers and the Iranian government, the report notes “the objectives of these groups are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities.”

In a Tuesday email correspondence with SCMagazine.com, Darien Kindlund, director of threat research at FireEye, said the company believes “Iran is increasingly reaching to hacker groups within the country” which “coincides with a shift among some groups, such as Ajax Security Team, from website defacements to cyber espionage activity.”

The 20-page report titled “Operation Saffron Rose,” notes that the Ajax Security Team is engaged in espionage using malware that is unique to the group. The hackers are targeting defense industrial-based U.S. companies as well as Iranian dissidents and those who use anti-censorship technology to circumvent Iran’s internet filtering system. To that end, FireEye found that the group pursued 77 people from a single C2 server.

In a Tuesday blog post, FireEye researchers wrote that “It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort,” but noted that the group “has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, [and] has engaged in website defacements since 2010.”

FireEye has observed that the Ajax Security Team is currently strengthening its numbers by recruiting from existing cyber crime gangs, particularly members who held leadership positions and whose sights were trained on politically motivated attacks that dovetail with the Iranian government’s goals and interests. The group, too, has been involved in website defacement but has increasingly shifted its interests to cyber espionage.

Acknowledging that the organization has used “a variety of clever social engineering techniques to deliver their malware” but calling the malware’s “somewhat limited” in capability, Kindlund said “it provides all the functionality they need to conduct successful attacks.” 

To guard against the threats posed by Iranian hacking groups, Kindlund cautioned companies, organizations and government entities to “be wary/vigilant of spearphish email attacks, which are disguised in the same fashion as listed in the example email of the report.”

May 14, 2014