Iranian hackers infiltrated major VPN and remote systems for years

Firms in the IT and telecoms industry among those targeted by a reconnaissance and information theft campaign

Iranian cyber criminals successfully gained access into the infrastructures of dozens of firms, and have been accused of a string of prominent cyber attacks including those against Citrix and Palo Alto Networks.

The campaign, dubbed ‘Fox Kitten’, has thus far targeted major companies in order to gain long-lasting control and access to their networks for reconnaissance purposes, and occasionally as a springboard to launch devastating malware attacks.

Advertisement - Article continues below

The campaign, which has been running for at least the last three years, has been orchestrated against companies from the IT, telecoms, old and gas, aviation, government and security sectors globally. 

As outlined in a report from cyber security company ClearSky, several known groups and their cyber activities can be tied with shared common infrastructure, and attributed with medium or high probability to the activity of hacker groups such as APT34-OilRig, APT33-Elfin and APT39-Chafer that are considered to have ties to Iran.

The ClearSky researchers have also determined that there’s a medium probability that APT33 and APT34 have been working together since 2017 via this shared infrastructure.

The key offensive tool harnessed through this campaign comprised exploiting one-day vulnerabilities (zero-day vulnerabilities that have been made public) in different virtual private networks (VPNs) and remote hardware services. These included services provided by Pulse Secure, Fortinet and Palo Alto Networks. 

Some of these vulnerabilities, and their subsequent exploitation, gained notoriety. The National Cyber Security Centre (NCSC) and National Security Agency (NSA), for example, warned against hackers exploiting flaws in VPNs deployed by all three firms in October 2019.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Although the groups’ actions span a number of years, the hackers have already conducted significant activity in 2020 having exploited fresh vulnerabilities in remote systems deployed by Citrix

“We attribute the 'Fox Kitten' campaign, with medium-high confidence, to the APT34 group, and with medium confidence to the APT33 and APT39 groups,” the report said. “And we assess that there is a cooperation between the groups in infrastructure and possibly beyond that.

“We assess this campaign’s main goal to be intelligence collection on the targets and creating a supply-chain attack. In our analysis, we have not identified distribution of destructive malware in the attacked organizations.”

Related Resource

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

Once the hackers gained a foothold into the organisation’s network, they maintained access by deploying a range of communication tools, including opening remote desktop protocol (RDP) links. The purpose of this was to camouflage and encrypt communication with their respective targets.

Finally, having infiltrated and maintained access within the organisation, the attackers performed identification, examination and the filtering of sensitive or valuable information from their victims. This was sent back to the attackers for reconnaissance, espionage, or further infection of the infiltrated and associated networks.

Advertisement - Article continues below

From a target company's perspective, the picture is highly bleak, with a long time needed to actually identify an attacker on a compromised network. According to the report, this varies from several months to not at all. Monitoring capabilities, meanwhile, for organisations to identify and block an attacker that entered through remote communication tools ranges from difficult to impossible.

The researchers claimed that, as a result of their findings, those VPN systems that allow for remote access to corporate networks pose a significant risk, because they essentially bypass all defences deployed on the internet.

It’s critical for an organisation to assess its outward-facing systems, including different VPN services, as well as constantly monitoring these systems to ensure they’re continuously updated. Deploying such tools, like VPNs, should also be kept to the bare minimum.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

16 Mar 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/business/policy-legislation/356256/uk-invested-about-ps500m-in-wrong-gps-satellites
Policy & legislation

UK gov buys "wrong" satellites in £500m blunder

29 Jun 2020
Visit/security/34616/the-top-password-cracking-techniques-used-by-hackers
Security

The top 12 password-cracking techniques used by hackers

12 Jun 2020