A gang of hackers suspected of working in Iran for the Tehran government is likely behind attacks on American, Saudi Arabian and South Korean aviation and energy firms, a cyber security firm warned on Wednesday.
The report by FireEye also said the suspects left behind a new type of malware that could have been used to destroy the computers it infected.
It appears to echo two other Iran-attributed attacks that targetted Saudi Arabia in 2012 and 2016 that destroyed computer systems.
“The gang, dubbed APT33, is believed to have links to the Iranian regime,” said Stuart Davis, director of Global Services & Intelligence at FireEye, the cybersecurity company, which uncovered the hackers, said during a press conference in Dubai.
“Since the middle of 2016 until early 2017, APT33 members managed to hack into several organisations and companies in the three countries.
Representatives from the US, intelligence-led security company revealed details about a hacking group that infiltrated an aerospace firm in the US, a trade group with shares in the Saudi aviation sector and a petrochemical company based in South Korea.
He said the targets indicated that APT33 - an acronym for 'advanced persistent threat' - may be looking to gain insights into Saudi Arabia’s military aviation capabilities.
Specific companies are hacked in attempts to gain information which could serve their interests and inform decisions related to petrochemical production.
“They used malicious files to lure their victims and make them believe that they have vacancies and then solicit highly confidential information,” said Mr Davis.
FireEye said APT33 used phishing email attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from Boeing or defence contractors.
The hackers then remained inside of the systems of those affected for "four to six months" at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter. The coding contains Farsi-language references, the official language of Iran, FireEye said.
Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek, Davis said. The programs used in the campaign are popular with Iranian coders, servers were registered via Iranian companies and one of the spies appears to have accidentally left his online handle, "xman_1365_x," in part of the code.
An Iranian contractor was identified by FireEye as linked to APT33. Called “xman_1365_x”, the hacker has been linked to Nasr Institute - purported to be equivalent to Iran’s “cyber army” and controlled by the Iranian government.
In March 2016, the US Department of Justice unsealed an indictment that named two individuals allegedly hired by the Iranian government to build attack infrastructure and conduct distributed denial of service attacks in support of Operation Ababil.
Associated Press reported that Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran's contested nuclear program. Stuxnet is widely believed to be an American and Israeli creation.
Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas. The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.
* with inputs from Associated Press