Iranian hacktivists target US defense industry, FireEye says

A suspected Iran-based hacking group known for defacing websites has shown increased ambition over the past few months, targeting U.S. defense contractors and Iranian dissidents, according to a new report from security company FireEye.

The group, which calls itself the Ajax Security Team, stopped defacing websites around December, but a network of computers it uses to steal data has shown continued activity distributing malware aimed at higher-value targets, FireEye said in its report, called “Operation Saffron Rose.”

"The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement," FireEye said in a blog post on the report.

The group has launched attack on both Iranians trying to get around the country’s Internet censors and U.S. defense companies. Iranian hackers in general have also been blamed for denial-of-service attacks that dealt blows to U.S. banks’ online operations in recent years.

Michael Hayden, former director of the CIA and the National Security Agency, said cyberwarfare gives countries with inferior military capabilities a way to disrupt another nation’s security without launching missiles or invading.

The Ajax Security Team’s transition from “patriotic” hacking—defacing websites in defense of Iran’s government—to more cyber-espionage is one the company has noticed with China-based hacking groups.

“Members of the Chinese hacking community that participated in such attacks soon found that transitioning to cyberespionage was more rewarding—both in terms of developing a more advanced skill set as well as in monetary remuneration,” FireEye said.

At one time, the Ajax Security Team had a website and forum, but those are now offline. FireEye identified some of the group’s prominent members by their screen names, saying the group appeared to be formed in 2010 by people going by the screen names “HUrr1c4nE!” and “Cair3x.”

In one attack, the group created a fake website for the IEEE Aerospace Conference, an annual weeklong conference attended by high-ranking government and military members. It then targeted conference-goers with emails leading to the fake website. The website then tried to persuade visitors to install proxy software in order to access the site, which was actually malware, FireEye said.

FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran's Internet filtering system.

Whether the Ajax Security Team operates in isolation or as part of a larger government-coordinated effort is unclear. The team uses malware tools that do not appear to be publicly available or used by any other threat groups. This group uses varied social engineering tactics to lure targets into infecting their systems with malware. Although FireEye Labs has not observed the Ajax Security Team using zero-day attacks to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.