A previously unknown cyber espionage campaign using never-before-seen malware infiltrates global aerospace and telecommunications companies in a highly targeted operation that has been active since at least 2018, but has remained completely under the radar until July of this year.
The campaign is the work of a recently disclosed Iranian hacking group dubbed MalKamak, who was detailed by cybersecurity company Cybereason Nocturnus, who discovered it after being called by a customer to investigate a security incident.
Dubbed Operation GhostShell, the goal of the cyber espionage campaign is to compromise the networks of companies in the aerospace and telecommunications industries to steal sensitive information about assets, infrastructure and technology. The targets – which were not disclosed – are found primarily in the Middle East, but with additional casualties in the United States, Europe and Russia. Each target appears to have been handpicked by the attackers.
SEE: Ransomware attackers have targeted this company. Then the defenders discovered something curious
“It’s a very, very targeted type of attack,” Assaf Dahan, head of threat research at Cybereason, told ZDNet. “We have only managed to identify a dozen victims in the world.”
MalKamak distributes a previously undocumented Remote Access (RAT) Trojan horse known as ShellClient designed for espionage – which is why it went undetected for three years. One of the reasons the malware has remained so effective is that the authors have put a lot of effort into making it stealthy enough to avoid antivirus and other security tools. The malware receives regular updates so that this continues to be the case.
“With each iteration, they add more functionality, they add different levels of stealth,” Dahan said.
ShellClient has even started to implement a Dropbox client for command and control over target networks, which makes it difficult to detect as many companies may not notice or think of another cloud collaboration tool taking action, if they do. not even notice it at all.
It’s all part of the plan to use the Trojan to monitor systems, steal user credentials, secretly execute commands on networks, and ultimately steal sensitive information. Each infected machine is given a unique identifier so that attackers can track their work during the weeks and months they snoop around compromised networks.
“Once they get in, they start to do a deep network reconnaissance. They map important assets – the crown jewels they would be looking for, key servers like Active Directory, but also corporate servers that hold the type of information they’re after, ”Dahan said. .
The campaign went successfully undetected until July, when researchers were called in to investigate an incident. It is possible that the attackers became overconfident in their tactics and exaggerated their game, leaving evidence that allowed researchers to identify the campaign and the malware deployed.
“Depending on what we’re seeing, over the past year, they’ve accelerated. Sometimes when you’re faster you can be slightly sloppy or just there will be more cases that get caught,” Dahan explained.
MalKamack’s analysis of tools and techniques led researchers to believe that the attacks were the work of a hacking operation from Iran, as one of the tools that ShellClient RAT uses for the attacks Credential Dump is a variant of SafetKatz, which has been linked to previous Iranian attacks. campaigns. The targeting of telecommunications and aerospace companies operating in the Middle East also aligns with Iran’s geopolitical objectives.
SEE: A winning strategy for cybersecurity (ZDNet special report)
But if there are any similarities to known Iranian state-backed cyber espionage operations, most notably Chafer (APT39), which uses similar techniques to target victims in the Middle East, the United States and Europe, As well as Agrius APT, which shares similarities in malware code, the researchers believe MalKamack is a new Iranian cyber operation – although it likely has ties to other state-sponsored activities.
Researchers also believe Operation GhostShell remains active and that MalKamack will continue to evolve the way it conducts its attacks to continue stealing information from targets. It is currently unclear how attackers gain initial access to the network, but it is possible that this can happen through phishing attacks or by exploiting unpatched vulnerabilities.