Iranian hackers target US defence industry

Security outfit FireEye has noticed an up-tick in attacks from an Iran-based hacking group.

The Ajax Security Team, which sounds like a group that would clean your bath rather than hackers, is better known for defacing websites.

But FireEye said the group has shown increased ambition over the past few months, targeting US defence contractors and Iranian dissidents.

FireEye said in its report, called “Operation Saffron Rose that a network of computers AST uses to steal data has shown continued activity distributing malware aimed at higher-value targets,

The security company recovered information on 77 people targeted by the group by analyzing a command-and-control server used to store stolen data. Most of the victims had their computers set to the Persian language and to Iran’s time zone. FireEye said it also uncovered evidence the group targeted US defense contractors.

The report said that there is no clear link between the group and Iran’s government, although the country has been trying to expand its offensive cybercapabilities.

“While the objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, the relationship between this group and the Iranian government remains inconclusive,” the report said.

The Ajax Security Team’s move from “patriotic” hacking—defacing websites in defence of Iran’s government—to more cyber-espionage is a pattern which the company noticed with Chinese groups.

“Members of the Chinese hacking community that participated in such attacks soon found that transitioning to cyberespionage was more rewarding,” FireEye said.

In one attack, the group created a fake website for the IEEE Aerospace Conference, an annual weeklong conference attended by high-ranking government and military members.

It then targeted conference-goers with emails leading to the fake website. The website then tried to persuade visitors to install proxy software in order to access the site, which was actually malware, FireEye said.