What's new

IRAN : world's 4th cyber army

Does the Iranian Operation Cleaver exist or is this a new fake WMD charge that will be used against Iran as a threat to critical 'world' infrastructure - the same way it was used against Iraq in early 2000s? I am sensing the latter as the demonizing campaign against Iran is picking up now disproportionately.
Everyone spies on each other so I wouldn't be surprised if Iran is doing this, because other countries are doing this to them as well.
 
.
Everyone spies on each other so I wouldn't be surprised if Iran is doing this, because other countries are doing this to them as well.

Hakan, my point was the whole charge could be false. When certain forces in the powers that be want to encourage the attack, be it financial or military, on any country, they start demonizing that country. The lies used against Iraq, Libya, and Syria are clear examples. I sense Iran may not be launching the attacks, but they are being scapegoated. Any thing is possible in this climate where any country can be accused of any thing, and there is no proof required that the accused is initiating the attacks.
 
.
Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia

Jeremy Kirk
  • Feb 16, 2015 6:25 PM
A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia.

Kaspersky Lab released a report Monday that said the tools were created by the “Equation” group, which it stopped short of linking to the U.S. National Security Agency.

The tools, exploits and malware used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.

Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation’s hard disk drive malware platforms, “Equationdrug” and “Grayfish.”

The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.

Equation knows sets of unique ATA commands used by hard drive vendors to format their products. Most ATA commands are public, as they comprise a standard that ensures a hard drive is compatible with just about any kind of computer.

But there are undocumented ATA commands used by vendors for functions such as internal storage and error correction, Raiu said. “In essence, they are a closed operating system,” he said.

Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.

The ability to reprogram the firmware of just one kind of drive would be “incredibly complex,” Raiu. Being able to do that for many kinds of drives from many brands is “close to impossible,” he said.

“To be honest, I don’t think there’s any other group in the world that has this capability,” Raiu said.

It appears Equation has been far, far ahead of the security industry. It’s almost impossible to detect this kind of tampering, Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can’t be reformatted, he said.

Given the high value of this exploitation technique, Equation very selectively deployed it.

“During our research, we’ve only identified a few victims who were targeted by this,” Kaspersky’s report said. “This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances.”

Another of Kaspersky’s intriguing findings is Fanny, a computer worm created in 2008 that was used against targets in the Middle East and Asia.

To infect computers, Fanny used two zero-day exploits—the term for a software attack that uses an unknown software vulnerability—that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was used to sabotage Iran’s uranium enrichment operations. It is thought to be a joint project between the U.S. and Israel.

It’s unlikely the use of the same zero-days was a coincidence. Kaspersky wrote that the similar use of the vulnerabilities means that the Equation group and the Stuxnet developers are “either the same or working closely together.”

“They are definitely connected,” Raiu said.

Both Stuxnet and Fanny were designed to penetrate “air-gapped” networks, or those isolated from the Internet, Kaspersky said.

The Equation group also used “interdiction” techniques similar to those used by the NSA in order to deliver malicious software to targets.

Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of materials. The CD contained two zero-day exploits and a rarely-seen malware doorstop nicknamed “Doublefantasy.”

It is unknown how the CDs were tampered with or replaced. “We do not believe the conference organizers did this on purpose,” Kaspersky said. But such a combination of exploits and malware “don’t end up on a CD by accident,” it said.

The NSA’s Office of Tailored Access Operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2013, citing a top secret document.

The German publication was one of several that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward Snowden.

Kaspersky uncovered the trail of the Equation group after investigating a computer belonging to a research institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.

Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples on it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigation lead to the extensive command-and-control infrastructure used by Equation.

Kaspersky analysts found more than 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were due to expire, so Kaspersky registered around 20 of them, Raiu said.

Most of the domain names aren’t used by Equation anymore, he said. But three are still active. The activity, however, doesn’t lend much of a clue as to what Equation is up to these days, as the group changed its tactics in late 2013.

“Those three [domains] are very interesting,” Raiu said. “We just don’t know what malware is being used.”

Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia | PCWorld
 
.
irancyber1.jpg
 
.
Document Reveals Growth of Cyberwarfare Between the U.S. and Iran

By DAVID E. SANGER
FEB. 22, 2015

WASHINGTON — A newly disclosed National Security Agency document illustrates the striking acceleration of the use of cyberweapons by the United States and Iran against each other, both for spying and sabotage, even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran’s disputed nuclear program.

The document, which was written in April 2013 for Gen. Keith B. Alexander, then the director of the National Security Agency, described how Iranian officials had discovered new evidence the year before that the United States was preparing computer surveillance or cyberattacks on their networks.

It detailed how the United States and Britain had worked together to contain the damage from “Iran’s discovery of computer network exploitation tools” — the building blocks of cyberweapons. That was more than two years after the Stuxnet worm attack by the United States and Israel severely damaged the computer networks at Tehran’s nuclear enrichment plant.
The document, which was first reported this month by The Intercept, an online publication that grew out of the disclosures by Edward J. Snowden, the former N.S.A. contractor, did not describe the targets. But for the first time, the surveillance agency acknowledged that its attacks on Iran’s nuclear infrastructure, a George W. Bush administration program, kicked off the cycle of retaliation and escalation that has come to mark the computer competition between the United States and Iran.

The document suggested that even while the high-stakes nuclear negotiations played out in Europe, day-to-day hostilities between the United States and Iran had moved decisively into cyberspace.

“The potential cost of using nuclear weapons was so high that no one felt they could afford to use them,” said David J. Rothkopf, the author of “National Insecurity,” a new study of strategic decisions made by several American administrations. But the cost of using cyberweapons is seemingly so low, Mr. Rothkopf said, that “we seem to feel we can’t afford not to use them” and that “many may feel they can’t afford ever to stop.”

The N.S.A.’s new director, Adm. Michael S. Rogers, has declared that his first task is to deter attacks by making it costly for countries like Russia, China and Iran to wage cyberwar. But a former senior intelligence official who looked at the two-page document prepared for General Alexander after it was published 10 days ago said it provided “more evidence of how far behind we are in figuring out how to deter attacks, and how to retaliate when we figured out who was behind them.”

The document declares that American intercepts of voice or computer communications showed that three waves of attacks against American banks that began in August 2012 were launched by Iran “in retaliation to Western activities against Iran’s nuclear sector,” and added that “senior officials in the Iranian government are aware of these attacks.”

The main targets were the websites of Bank of America and JPMorgan Chase. By 2015 standards, those were relatively unsophisticated “denial of service” strikes that flooded the banks with data, so overloading them it was impossible for a time for customers to access their accounts. American officials — with the exception of then-Senator Joseph I. Lieberman of Connecticut, who was the chairman of the Senate Homeland Security committee — never publicly identified Iran as the culprit, though it was widely reported as the prime suspect.

More recently, the Obama administration, in an effort to deter attacks, has grown less reticent about naming countries that the administration believes are responsible for such attacks. In May, five members of the Chinese People’s Liberation Army were indicted on a charge of stealing intellectual property from American companies. And in December, President Obama said he had evidence that North Korea’s leadership was behind an attack on Sony Pictures Entertainment, though he did not provide details. The New York Times later reported that the N.S.A. had gathered the evidence from implants that it had placed in North Korean computers beginning in 2010.

But just as American officials woke up to North Korea’s abilities last year, the newly disclosed document makes clear that by early 2012, American officials were increasingly alarmed by the successes of Iran’s new “cybercorps.”

The background briefing for General Alexander, who is now running his own cyberdefense firm, said flatly that Iran was responsible for the “destructive cyberattack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers,” an attack that appeared to pave the way for a technically similar strike on Sony last year. The N.S.A. document suggests that the attack on Saudi Aramco was in response to “a similar cyberattack” against Iran’s oil industry earlier that year; it did not indicate who launched that attack.

The document refers to a major program at the N.S.A. to prepare for traditional or cyberwar “contingencies” with Iran, including a “planned battle rhythm” that would allow it to feed data to the White House and the military’s commands. That is fairly standard planning, but the document underscored that the plans depended on “both our access and Iran’s capabilities,” meaning that there is a constant reassessment of how deeply the N.S.A. and its military partner, United States Cyber Command, have penetrated Iranian systems.

The core of the document urges General Alexander to tell his counterpart at the Government Communications Headquarters that the two organizations have “worked multiple high-priority surges” against Tehran. GCHQ, as it is known, is the British intelligence agency that is famous for breaking Germany’s Enigma codes, recently portrayed in the movie “The Imitation Game.”

But it hints at discord. GCHQ wanted to set up “a trilateral arrangement to prosecute the Iranian target,” the memo said. But the United States “has been opposed to such a blanket arrangement,” the document said, and hints that both the N.S.A. and GCHQ “have agreed to continue to share information gleaned from the respective bilateral relationships” with Israel’s Unit 8200, also known as the Israeli Sigint National Unit. “Sigint” stands for “signals intelligence.”

The relationship between the N.S.A. and its Israeli counterpart has always been testy. Both American and Israeli intelligence agencies spy on each other, even while working together. The joint development of Olympic Games was their proudest moment of collaboration, but it was also marked by disagreements about how, and how vigorously, to press cyberattacks on Iran.

http://www.nytimes.com/2015/02/23/u...-of-cyberwarfare-between-the-us-and-iran.html
 
.
Back
Top Bottom