For all the talk about China and the Syrian Electronic Army, it seems there's another threat to U.S. cyber interests i.e Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.
Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.
The officials stated that the goal of the Iranian attacks is sabotage rather than espionage. Whereas, The cyber attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business. Mandiant announced that the Chinese government was backing the attacks. However, officials from the government in Beijing vehemently denied any connection to the attacks.
The new attacks, officials said, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. Iran has denied being the source of any attacks, adding that it had been a victim of American sabotage.
Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. "It is also difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted," he said.
Government officials also claimed that Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated denial of service”effort.
2013-03-11T09:19:00-11:00Monday, March 11, 2013 Mohit Kumar
IRAN has spent years fending off cyber attacks, blocking access and isolated their own intranet off from the outside world. Many Iranians was using of virtual private network (VPNs), which provides encrypted links directly to private networks based abroad, to access Sites like YouTube and Facebook after bypassing the country's internet filter.
But recently, Iranian authorities have blocked the use of most virtual private network to stop people in the country from circumventing the government's internet filter.
A widespread government internet filter prevents Iranians from accessing many sites on the official grounds they are offensive or criminal.
Ramezanali Sobhani-Fard, the head of parliament's information and communications technology committee said, "Within the last few days illegal VPN ports in the country have been blocked. Only legal and registered VPNs can from now on be used."
Registered and legal VPN access can still be purchased, but the typical filter workarounds no longer work.
2012-12-18T03:17:00-11:00Tuesday, December 18, 2012 Mohit Kumar
Iranian CERT is sounding the alarm over another bit of data-deleting malware it's discovered on PCs in the country. Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I Drive, along with any files stored on the Windows desktop of the user who is logged in when it's executed
Why naming Batchwiper ? The name was chosen because the malware is packed in a batch file.
The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.
GrooveMonitor.exe is the original dropper, which is a self-extracting RAR file, once executed it extracts the following files:
-- \WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37
-- \WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6
-- \WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41
Then juboot.exe is executed, which create and execute following batch file :
\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat
According to the Iranian CERT advisory, "However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks."
In past, Iran has accused the US and Israel of being behind the Flame attack as well as the Stuxnet virus. Such attacks are seen as en effort to cripple the Islamic Republic's nuclear program, which Western countries fear is being used to make a bomb.