Iranian Cyber Crew Infiltrates US Networks

Iranian Cyber Crew Infiltrates US Networks

Iranian Cyber Crew Infiltrates US Networks

A recent discovery by Symantec and Carbon Black’s threat hunting team has revealed that an Iranian cyber crew, believed to be part of the Iranian Ministry of Intelligence and Security (MOIS), has been embedded in multiple US companies’ networks since the beginning of February.

Targets Include Bank, Airport, and Software Firm

The affected organizations include a bank, airport, and software firm, as well as non-governmental organizations in both the US and Canada. The compromised software company supplies its tech to defense and aerospace industries, and has a presence in Israel.

Meanwhile, the Israeli operation appears to be the primary target, with a new backdoor named Dindoor found on the Israeli location’s networks, as well as those belonging to the US bank and a Canadian nonprofit.

Malware and Backdoors

A separate Python-based backdoor called Fakeset was found on the airport and a US nonprofit’s networks. However, the reuse of certificates indicates MuddyWater was behind the US network activity.

Additionally, the threat group has been using phishing emails or vulnerabilities in public-facing applications as its initial infection vector.

Intent and Motives

When asked about the intent of these intrusions, analysts said it’s difficult to say for sure, as Iranian cyber operations span a range of motives, including intelligence gathering and disruption.

Therefore, it’s possible that groups such as Seedworm could pivot in response to the war and launch disruptive attacks on organizations they’ve already compromised.