.png)
1 month ago
7
Source: Kirsty McLaren via Alamy Stock Photo
Iranian state hackers used a treasure trove of compromised email accounts to phish dozens of worldwide diplomatic missions.
Researchers from Dream Security and Clear Sky Cyber Security have both since tied this activity to the advanced persistent threat (APT) known colloquially as "Homeland Justice," associated with Iran's Ministry of Intelligence (MOIS). The key to Homeland Justice's strategy was 104 unique, variously official, compromised addresses, which it used to send emails under the guise of official government business. Attached to those emails, of course, were files carrying infostealing malware.
Iran's Phishing Campaign
The first email in this campaign was sent Aug. 19. It was generated using a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, and directed right back at the organization from whence it came.
It had all the hallmarks of the many phishing attacks to come. The note was forwarded through a NordVPN exit node in Jordan to mask where it was really coming from. It included a blurred Word document attachment, requiring that the user enable macros to view it clearly. Enabling macros revealed it to be an invitation to an online seminar on "The Future of the region after the Iran-Israel war and the role of Arab countries in the Middle East," a hot-button issue of potential interest to the ministry. The document also concealed malicious Visual Basic for Applications (VBA) macros.
Related:China Hijacks Captive Portals to Spy on Asian Diplomats
It was a rather atavistic approach to such a high-level operation. "Since Microsoft improved the default security controls around document macros, we have seen a reduction in malicious macros and an uptick in identity attack techniques such as adversary-in-the-middle (AiTM) attacks to capture credentials and hijack session cookies," explains Kevin E. Greene, a chief cybersecurity technologist at BeyondTrust.
But "you’d be surprised," says the team from Dream Security. "Macro-enabled documents still work, and phishing remains one of the most effective initial-access vectors. The technique is 'old-school,' but in this case the emails came from a legitimate, compromised account, which increased credibility and likely click-through; with that level of trust, simple techniques still succeed." They assess with moderate confidence that at least one observed victim did click through and enable the malicious macros.
From there, a malicious payload would have been decoded and executed. The attackers integrated some basic evasion techniques in this phase of the attack, including using the "vbHide" VBA parameter to conceal the malware from view as it's executing, then hiding it in plain sight by plopping it in the victim's Documents folder, appended with an innocuous ".log" extension. They also used a function called "laylay," which delayed payload execution by performing lots of repetitive counting, otherwise pointless if not for the fact that it might have thrown off security software.
Related:African Law Enforcement Agencies Nab Cybercrime Syndicates
The final payload, "sysProcUpdate," gathered basic system information, perhaps only as an introduction for follow-on malicious activity.
Researchers from Dream assess that this campaign has likely concluded, just days after it began, since at the time of writing, the attackers' command-and-control (C2) infrastructure appears to be inactive.
Worldwide Embassies Targeted
Phishing emails of this nature went out to around four dozen embassies, consulates, and government ministries, representing countries from nearly every corner of the earth, including:
Consulates and ministries from across the Middle East, including Oman, Qatar, Bahrain, Israel, Jordan, and the UAE
Embassies and consulates belonging to Italy, France, Romania, Spain, the Netherlands, Hungary, Germany, Austria, and Sweden
Embassies and consulates of 12 African countries, including Ethiopia, Nigeria, Rwanda, Malawi, and eight more undisclosed
Diplomatic missions and ministries from eleven nations in the Western hemisphere, including but not limited to Canada, Brazil, Colombia, Peru, and Argentina
Related:Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0'
Besides these government agencies, the attackers also targeted at least 10 other notable international organizations of various kinds: the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The World Bank was also targeted, as was an organization in the maritime sector, and one in energy.
"In an age of rising geopolitical tensions, knowing what an embassy is reporting back, or being told through diplomatic cables and other communications, can provide a strategic advantage to an adversary," Greene says. "There is also an element of trophy hunting and posturing involved, where it might be viewed as a way to earn a political point without being seen to directly attack foreign soil."
He also notes that "as effectively remote outposts in a different time zone, embassies may have more limited resources or rely on local resources to support and configure their systems. They also employ contractors and local staff who may not be familiar with all the cyber security risks or be able to spot a poorly written phishing email in a second or third language," making them occasionally easy pickings.
