Iranian state-sponsored group APT42 is targeting NGOs, government, and intergovernmental organizations with two new backdoors.

The post Iranian Cyberspies Hit Targets With New Backdoors appeared first on SecurityWeek.

America’s adversaries have mounted online campaigns to amplify the social and political conflicts over Gaza flaring at universities, researchers say.

© Amir Hamja/The New York Times

With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said. Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest.

“Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said.

Why Russia is the Biggest Cyber Threat to Election Security

Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.

Beijing’s Interest in Information Operations

Collier noted that state threats to elections are far more than just a Russia problem.

“For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said.

China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.

Watch-Out for Iran’s Espionage and Influence Campaigns

Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.

“[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said.

During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.

Diverse Targets Multiple Vectors

Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The U.S. government charged four Iranian nationals for their alleged involvement in multi-year hacking operations targeting several prominent entities including the U.S. Treasury and State departments, defense contractors, and two New York-based companies. These activities are purportedly conducted on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC).  The indicted individuals Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab are charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and wire fraud. They face significant penalties, including up to five years in prison for the computer fraud conspiracy charge and up to 20 years for each count of wire fraud and conspiracy to commit wire fraud, according to the U.S. Department of Justice.  “Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability,” said Attorney General Merrick Garland. “These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments.” 

US Treasury Imposed Sanctions While State Offers $10 million Reward

Owing to this, the U.S. Department of Treasury also imposed sweeping sanctions on the accused, while the State Department offered a reward of up to $10 million and potential relocation for any information leading to the apprehension of three of the suspects or the associated companies.  [caption id="attachment_64673" align="alignnone" width="1962"] Source: US Rewards for Justice[/caption] The Treasury Department said that all four individuals have ties to IRGC front companies, namely Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), which were allegedly used in orchestrating various aspects of the attacks.  “Today’s charges pull back the curtain on an Iran-based company that purported to provide ‘cybersecurity services’ while in actuality scheming to compromise U.S. private and public sector computer systems, including through spearphishing and social engineering attacks,” said Assistant Attorney General Matthew Olsen of the Department of Justice’s National Security Division.  Of the four, Harooni was allegedly responsible for procuring, administering, and managing the online network infrastructure, including computer servers and customized software used to facilitate the computer intrusions. He faces additional charges of knowingly damaging a protected computer, which could result in a further 10-year prison term.   Harooni, Salmani, and Nasab are also accused of aggravated identity theft, carrying a mandatory consecutive two-year prison sentence, according to the Justice Department. 

The Deeper Dive Into the Multi-year Hacking Operations

The group is alleged to have engaged in "a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions" from 2016 through at least April 2021. The hackers employed spearphishing, targeting employees via deceptive emails, infecting over 200,000 accounts in one campaign and 2,000 in another. They used an undisclosed custom application to organize and execute these attacks efficiently, as per the Justice Department.   By compromising an administrator email of a Defense Contractor, they created unauthorized accounts to launch spearphishing campaigns against employees of other contractors and consulting firms. They also employed social engineering tactics including women impersonations, to gain victims' trust and deploy malware, further compromising devices and accounts, the Justice Department said.  Their primary targets were cleared defense contractors, entities authorized to access, receive, and store classified information for the U.S. Department of Defense.  In addition to defense contractors, the group also reportedly targeted a New York-based accounting firm and a New York-based hospitality company. Overall, they are accused of targeting over a dozen U.S. companies, in addition to the Treasury and State departments, according to the State Department's reward offer.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), has previously warned that the IRGC and its affiliated cyber actors have been targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs), that are especially used in various critical infrastructure sites.  Other than hacking, Iran has also resorted to influence operations to achieve its geopolitical aims, combining offensive cyber operations in a multi-pronged approach.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Four Iranians are accused of hacking into critical systems at the Departments of Treasury and State and dozens of private US companies.

The post $10 Million Bounty on Iranian Hackers for Cyberattacks on US Gov, Defense Contractors appeared first on SecurityWeek.

Amidst the complexities of the Israel-Iran conflict, the Middle East is witnessing another form of strife: cyber warfare. Jordan finds itself at the forefront of this battle, facing a barrage of alleged cyberattacks orchestrated by various hacktivist groups. The BlackMaskers Team has emerged as a prominent threat, claiming cyberattacks on Jordan, targeting crucial Jordanian entities, ranging from the stock exchange to private sector enterprises. The ongoing cyberattacks are exemplified by recent incidents of Jordan supporting Israel against Iran in the ongoing war. The BlackMaskers Team proclaimed their actions, declaring Jordan as their prime target. [caption id="attachment_63513" align="alignnone" width="1280"] Source: X[/caption] Their assaults on Jordanian websites and subsequent data breaches have sparked concern, amplifying the vulnerability of national infrastructure and private companies alike.

Cyberattacks on Jordan Amidst Public Outrage

[caption id="attachment_63508" align="alignnone" width="780"] Source: X[/caption] Jordanian authorities are dealing with reports of cyberattacks while also facing public criticism for their decision to support Israel against Iran. The organizations suspected to be affected include the Jordan Stock Exchange and the Jordanian Water Company Yarmook. [caption id="attachment_63510" align="alignnone" width="776"] Source: X[/caption] The gravity of the Jordan cyberattacks was highlighted when the hacker group threatened to leak sensitive information pertaining to more Jordanian companies. This warning, coupled with the release of sample documents, further exacerbated the situation in the country. Amidst the chaos, the cyber assailants remain elusive, evading detection as they exploit vulnerabilities in Jordanian organizations.  The leaked sample data allegedly comprises sensitive documents and information, including financial auditing reports for companies like Jordan Steel, insights into Jordan's alleged assistance to Israel against Iranian threats, and documents from other Jordanian entities.  The Cyber Express has reached out to the listed victims to learn more about these cyberattacks on Jordan. However, at the time of writing this, no official statement or response has been received, leaving the claims made by the threat actor to stand unverified right now. 

Jordanians Display Insurgency Against the Government 

The ramifications extend beyond Jordan's borders, intersecting with the broader geopolitical setup of the region. Reports of Jordan's assistance to Israel in countering Iranian threats have triggered uproar and dissent within the country wherein the local public feels betrayed by their government.  The fallout from these events reverberates across social media platforms, fueling speculation and resentment. Accusations of betrayal and collusion with Israel overburden online discourse, painting a portrait of disillusionment and discontent among Jordanians.  Jordan reportedly is experiencing public outrage for supporting Israel against an Iranian attack. Misinformation regarding the king's role is being circulated online. Many Jordanians feel betrayed by their government's stance, resulting in significant anger and protests against the alliance with Israel. Amidst the chaos, Jordan's vulnerabilities are laid bare once again, wherein an unfamiliar hacker group is claiming cyberattacks on multiple organizations at once. This intrusion, not confirmed though, highlights the current situation in the Middle East where hackers, governments, and the local public are taking sides while war is disrupting the livelihood of common citizens.  This is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Jordan or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.