DUBAI: A group of hackers suspected of working in Iran for its government is targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea, a cybersecurity firm warned Wednesday.
The report by FireEye also said the suspected Iranian hackers left behind a new type of malware that could have been used to destroy the computers it infected, an echo of two other Iran-attributed cyberattacks targeting Saudi Arabia in 2012 and 2016 that destroyed systems.
Iran’s office at the United Nations did not immediately respond to a request for comment Wednesday and its state media did not report on the claims. However, suspected Iranian hackers long have operated without caring if people found it was them or if there would be consequences, making them incredibly dangerous, said Stuart Davis, a director at one of FireEye’s subsidiaries.
“Today, without any repercussions, a neighboring country can compromise and wipe out 20 institutions,” Davis said.
FireEye, which often works with governments and large corporations, refers to the group as APT33, an acronym for “advanced persistent threat.” APT33 used phishing e-mail attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from Boeing Co. or defense contractors.
The hackers remained inside of the systems of those affected for “four to six months” at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter. The coding contains Farsi-language references, the official language of Iran, FireEye said.
Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek, Davis said. The programs used in the campaign are popular with Iranian coders, servers were registered via Iranian companies and one of the spies appears to have accidentally left his online handle, “xman_1365_x,” in part of the code.
That name “shows up all over Iranian hacker forums,” FireEye’s John Hultquist said. “I don’t think they’re worried about being caught. ... They just don’t feel like they have to bother.”
The Associated Press was able to find other clues pointing to an Iranian nexus. One of the e-mail addresses used to register a malicious server belongs to an Ali Mehrabian, who used the same address to create more than 120 Iranian websites over the past six years.
Neither Mehrabian, who listed himself as living in Tehran, nor “xman” returned e-mails seeking comment.
Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran’s contested nuclear program. Stuxnet is widely believed to be an American and Israeli creation.
Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas. The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.
A second version of Shamoon raced through Saudi government computers in late 2016, this time having the destroyed computers display a photograph of the body of 3-year-old Syrian boy Aylan Kurdi, who drowned fleeing his country’s civil war. Suspicion again fell on Iran.
FireEye’s report said it believed APT33 “is likely in search of strategic intelligence capable of benefiting a government or a military sponsor.”
High on the list of any potential suspects within Iran would be its paramilitary Revolutionary Guard. US prosecutors in March 2016 accused hackers associated to Guard-linked companies of attacking dozens of banks and a small dam near New York City. Hackers linked to the Guard also have been suspected of targeting the e-mail and social-media accounts of Obama administration officials.
___
Associated Press writer Raphael Satter in Paris contributed to this report.
Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm
Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm
Israel attacks southern Lebanon, Bekaa Valley
- Lebanon insists on return of residents to border villages as a prerequisite for discussing any economic zone
BEIRUT: Two people, including a Hezbollah member, were killed, and more than five others injured on Sunday in Israeli airstrikes carried out without warning on towns in southern Lebanon and the northern Bekaa Valley.
The attacks came while the Mechanism Committee, monitoring the implementation of the ceasefire agreement between Lebanon and Israel, is experiencing “temporary paralysis.”
The date of its next meeting has yet to be confirmed, following the postponement of a session scheduled for Jan. 14 without a clear explanation.
Israeli airstrikes targeted the towns of Bir Al-Salasel, Khirbet Selm, Kfar Dunin, Barish, and Bazouriye, as well as the vicinity of the Nabi Sheet and Janta towns in the northern Bekaa.
The Lebanese Ministry of Health confirmed the fatality and injuries, while an Israeli military spokesperson said that the army attacked Hezbollah members working at a site used for producing weapons.
The strikes targeted a building where Hezbollah members were operating in the Bir Al-Salasel area in southern Lebanon. The building was being used to produce weapons, the spokesman said.
The Israeli army claimed that its airstrikes on the northern Bekaa targeted “Hezbollah military infrastructure,” adding that the “Hezbollah members’ activity at the targeted sites constitutes a violation of the agreements between Israel and Lebanon and poses a threat to Israel.”
The Mechanism Committee, headed by US Gen. Joseph Clearfield and tasked with monitoring the implementation of the cessation-of-hostilities agreement between Israel and Lebanon, is expected to resume its meetings on Feb. 25.
The committee leadership has not officially confirmed the date, which remains under discussion among its members.
An official Lebanese source told Arab News: “The failure of the Mechanism Committee to convene on Jan. 14, following two meetings that were held on Dec. 3 and 19 in Ras Al-Naqoura, indicates the existence of a crisis.”
The source said that “during the two previous meetings, Lebanon insisted on its two demands for the return of residents to border villages from which they were displaced and where their homes were destroyed, as well as the reconstruction of these villages. These two clauses constitute the foundation upon which negotiations must be built.”
The same source, who is involved in the Mechanism Committee’s meetings, said that “Lebanon’s only gateway for addressing the Israeli envoy’s proposition regarding the establishment of a border economic zone similar to a buffer zone is that the border villages must be inhabited by their residents from the Lebanese perspective. This condition cannot be overlooked under any circumstances.”
The source said that “this was discussed with the US side, in particular, and the statement issued by the US on Dec. 19 regarding the negotiations and the progress made by the Lebanese army south of the Litani River presented acceptable evidence that Lebanon is now at the heart of the negotiations.”
The source added: “Lebanon called on the Mechanism Committee to issue a statement endorsing the Lebanese army’s success in extending its control south of the Litani River, including acknowledgment from the Israeli side.
“However, through the office of Prime Minister Benjamin Netanyahu, Israel only issued a statement referring to positives and negatives."
Last week, Lebanese Finance Minister Yassine Jaber confirmed to Arab News, in a special interview from Davos on the sidelines of the World Economic Forum, that “the proposal to transform the Lebanese border area into an economic zone was immediately rejected.”
The official Lebanese source attributed the reasons for the postponement of the latest Mechanism meeting to “a structural flaw within the committee, and to a crisis affecting the American delegation related to regional and international developments, in addition to an American-Israeli desire to exclude the French representative.”
The official source spoke of two dilemmas: “There is an Israeli enemy persisting in its violations of the agreement and in its attacks on Lebanon.
“On the other hand, the Israeli side submits evidence to the Mechanism Committee, including documents, photos, and videos, regarding Hezbollah’s restoration of its capabilities, at a time when its Secretary-General, Sheikh Naim Qassem, threatens civil war if Hezbollah’s weapons north of the Litani River are touched.”
The source added: “For its part, the Lebanese Army presents evidence and documentation of what it has accomplished south of the Litani. This means that the Lebanese Army is achieving what it is capable of achieving with flesh and blood. It is aware of the existence of remaining Hezbollah weapons depots and is pursuing them.”
The official source fears “a lack of progress in negotiations in light of all these documents, high-pitched statements, and the American complaint about the slow pace of negotiations.”
He added: “The positions of Hezbollah officials do not help Lebanon’s stance within the Mechanism Committee, particularly with regard to capacity building.”
The source said that “the adherence of the Hezbollah–Amal Movement duo to the Mechanism Committee does not mean their approval of any progress in negotiations.
“When Lebanon proposes expanding the Lebanese delegation to include, for example, a former minister, this constitutes horizontal expansion rather than the vertical expansion that would serve the negotiation process, which should involve specialized experts and technicians. Consequently, any collapse of the ‘Mechanism’ meetings would mean that Lebanon would be facing a very difficult moment.
“It appears that the history of Lebanese–Israeli negotiations is passing through its most dangerous phase today. The world is no longer negotiating with Lebanon solely over its rights, but over its ability to prevent war.”
The official source also stressed that the “Mechanism” constituted a fundamental point of intersection among the participating states despite the difficulties affecting its work.
He said: “The suspension of the committee’s work could be reflected in the issue of the exclusivity of weapons north of the Litani, as its absence would mean leaving matters without controls, pushing Lebanon into an even worse phase.”
The official source said that “raising the level of representation of the Lebanese delegation is not currently on the table, but it is an inevitable end that Lebanon may reach according to the logic of events.”
Lebanon is counting on the anticipated visit of Army Commander Gen. Rodolphe Haykal to Washington early next month, and on the Paris conference scheduled for March 5, to secure further support for the plan to confine weapons north of the Litani River.
