Tag Archive for: Iranlinked

Iran-linked cyberattacks threaten equipment used in U.S. water systems and factories


Updated December 2, 2023 at 1:51 PM ET

An Iran-linked hacking group is “actively targeting and compromising” multiple U.S. facilities for using an Israeli-made computer system, U.S. cybersecurity officials say.

The Cybersecurity and Infrastructure Security Agency (CISA) said on Friday that the hackers, known as “CyberAv3ngers,” have been infiltrating video screens with the message “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”

The cyberattacks have spanned multiple states, CISA said. While the equipment in question, “Unitronics Vision Series programmable logic controllers,” is predominately used in water and wastewater systems, companies in energy, food and beverage manufacturing, and health care are also under threat.

“These compromised devices were publicly exposed to the internet with default passwords,” CISA said.

The agency did not specify how many organizations have been hacked, but on Friday CNN reported that “less than 10” water facilities around the U.S. had been affected.

CyberAv3ngers was behind the breach at a water authority outside of Pittsburgh on Nov. 25. The Aliquippa water authority was forced to temporarily disable the compromised machine, but reassured citizens that the drinking water is safe.

While it did not cause any major disruptions to the water supply, the incident revealed just how vulnerable the nation’s critical infrastructure is to cyberattacks.

“If a hack like this can happen here in Western Pennsylvania, it can happen elsewhere in the United States,” Sens. John Fetterman and Bob Casey, and Rep. Chris Deluzio, who all represent the state, wrote in a letter to Attorney General Merrick Garland on Tuesday. The lawmakers urged the Justice Department “to conduct a full investigation and hold those responsible accountable.”

It also showed the scale and scope of Israel and Hamas’ cyberwarfare. Alongside the fight on the ground, both sides of the conflict are armed with dozens of hacking groups that have been responsible for disrupting company operations, leaking sensitive information online and collecting user data to plan future attacks.

“We’re now tracking over 150 such groups. And since you…

Source…

Israeli official’s housekeeper sentenced over spying for Iran-linked hackers


Israeli Defense Minister Benny Gantz’s housekeeper was sentenced to three years in prison for spying for an Iran-linked hacker group, as well as offering to download harmful malware onto his computer, Israeli prosecutors say.

Omri Goren Gorochovsky, 38, and his partner worked as cleaners at the home despite previous criminal convictions. Gorochovsky reached out to the Iran-linked hacker group, known as Black Shadow, through Telegram after hearing about a previous cyberattack on several Israeli websites, an indictment seen by Business Insider claims. The housekeeper sent the group distinguishing pictures of Gantz’s residence as proof he worked there before offering to further spy for them and upload spyware to the defense minister’s computer through a USB drive in exchange for $7,000, according to the filing.

ISRAEL SAYS ‘HIGH PROBABILITY’ ITS FORCES KILLED AL JEEZERA JOURNALIST UNINTENTIONALLY

Gorochovsky, who accepted a plea deal to avoid espionage charges that carry a sentence of 10-15 years, maintained his innocence.

“[Gorochovsky] is not a spy, and this isn’t a spying scandal,” attorneys Gal Wolf and Anat Yaari, Gorochovsky’s defenders, said, according to the Times of Israel. “This is about a man who found himself entangled in debt and identified a security breach.”

In his initial interrogation, Gorochovsky said he intended to trick the Iranian hackers.

“If they would have waited a few days before arresting me, they’d see that I’m not a spy. I wanted to trick the Iranians and take their money without sending them any photo or documents,” he said in his interrogation, according to Channel 12.

Later, however, he admitted to the accusations against him but denied knowing of the hackers’ ties to Iran.

“Who says it was the Iranians? It was hackers on Telegram,” he said in a court appearance.

Gorochovsky’s arrest last November sent shock waves through Shin Bet, Israel’s security agency, with questions arising as to how the housekeeper, who started working for Gantz before he entered politics, made it through the vetting…

Source…

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium


After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

“In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks,” according to MSTIC. “Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access.”

Polonium’s Infection Routine

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

“The observed activity was coordinated with other actors affiliated with Iran’s [MOIS], based primarily on victim overlap and commonality of tools and techniques,” the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains…

Source…

Iran-linked hackers targeted dozens of US, Israeli defense firms, Microsoft says


Suspected Iranian hackers have targeted dozens of defense technology and maritime transportation firms, successfully breaching a small number, in a spying campaign launched since July that could leave some of the companies vulnerable to follow-on hacking attempts, Microsoft announced Monday.Among the targets were companies that work with the U.S., European Union and Israeli governments to make satellite systems, drones technology and “military-grade radars,” Microsoft said.It’s just the latest effort by an alleged Iranian hacking group to access sensitive data held in the maritime sector. Another Iranian group last year stole information on the military unit of U.S. Navy members, according to IBM.”Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft researchers wrote in a blog post on Monday.Microsoft did not attribute the activity directly to an Iranian government organization but instead said the hacking “supports the national interests” of Iran based on a number of factors, including hacking techniques associated with another Iranian group.John Lambert, head of Microsoft Threat Intelligence Center, told CNN that Microsoft discovered the hacking activity when responding to a breach of a U.S. financial services firm this summer.The goal of releasing information on the intrusions now is to help organizations prepare for follow-on breach attempts, Lambert said. The hackers, he added, could look to use stolen login information to break into the internal networks of targeted organizations.The suspected Iranian operatives tried guessing passwords at roughly 250 organizations, including unnamed U.S. and Israeli defense firms and organizations operating in Persian Gulf ports, according to Microsoft. The hackers managed to breach “less than 20” of those organizations, the tech firm said.The maritime sector has long been of interest to Iran’s intelligence services and the country sits on the Strait of Hormuz, through which about a fifth of the world’s oil shipments pass.”Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes…

Source…