«Thamar Reservoir An Iranian cyber-attack campaign against targets in the Middle East Clearsky TLP:WHITE For public distribution © Clearsky - Cyber ...»
An Iranian cyber-attack campaign
against targets in the Middle East
For public distribution
© Clearsky - Cyber security. clearskysec.com
Page 1of 18
Modus operandi - investigation of targeted attacks
Part 1 -spear phish #1 - with malware
Part 2 - phone calls to victims
Part 3 - spear phishing #2
Part 4 - breaking into an Israeli research institute to set up phising page #3
Part 5 - spear phishing #4
Part 6 - Abusing account recovery mechanisms
Part 7 - Private messages
Targets and further incidents
The Iranian connection
Technical indicators and IoC
Malicious Email accounts
© Clearsky - Cyber security. clearskysec.com Page 2 of 18 Foreword This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this campaign may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin1, who exposed new information about the attack and is currently assisting with the investigation.
The campaign includes several different attacks with the aim of taking over the target’s computer or gain access to their email account. We estimate that this access is used for espionage or other nation-state interests, and not for monetary gain or hacktivism. In some cases, the victim is not the final target; the attackers use the infected computer, email, or stolen credentials as a platform to further attack their intended target.
The attackers are extremely persistent in their attempts to breach their targets. These attempts include:
Breaching trusted websites to set up fake pages Multi-stage malware Multiple spear phishing emails based on reconnaissance and information gathering.
Phone calls to the target.
Messages on social networks.
While very successful in their attacks, the attackers are clearly not technically sophisticated. They are not new to hacking, but do make various mistakes, such as grammatical errors, exposure of attack infrastructure, easy to bypass anti analysis techniques, lack of code obfuscation, and more.
These mistakes enabled us to learn about their infrastructure and methods. More importantly, we have learned of 550 targets, most of them in the Middle East, from various fields: research about diplomacy, Middle East and Iran, international relations, and other fields; Defense and security; Journalism and human rights; and more.
Various characteristics of the attacks and their targets bring us to the conclusion that the threat actors are
Iranian. In addition, we note that these attacks share characteristics with previously documented activities:
Attacks conducted using the Gholee malware, which we discovered.
Attacks reported by Trend Micro in Operation Woolen-Goldfish.
Attacks conducted by the Ajax Security Team as documented by FireEye.
Attacks seen during Newscaster as documented by iSight.
1 Dr. Gindin is an expert on Iranian linguistics and Pre-Islamic Iran, renowned lecturer and research fellow at the Ezri Center for Iran and Persian Gulf Research in the University of Haifa.
© Clearsky - Cyber security. clearskysec.com Page 3 of 18 Modus operandi - investigation of targeted attacks This chapter contains an in-depth analysis of a series of attacks against one of the Thamar Reservoir targets.
The heavy attack began two days after the target, Dr. Thamar E. Gindin, was interviewed on the IDF radio station2.
Over the course of two weeks, the threat actor used the following attacks against a single target:
1. One spear phishing email containing malware.
2. Three separate email messages with links to a fake log-in page, (including two factor authentication), one of them hosted on a breached website, the other two on dedicated domains.
3. Two phone calls from the attacker, designed to build rapport for one of the phishing emails.
4. Numerous attempts to take over cloud accounts using their Account Recovery mechanism.
5. Numerous messages on Facebook and by e-mail.
While we describe this case mostly from the point of view of a single target, we would like to emphasize that these scenarios repeated themselves for many other targets.
Part 1 -spear phish #1 - with malware In May 2015 a legitimate email was sent asking several researchers to fill out a form that was sent as a Word document. The attackers obtained this correspondence, presumably by breaching the email account of the sender. They created a new Gmail account with a username similar to that of the original sender. Then, they sent the recipients a follow-up message (including the initial correspondence), asking them to fill up the attached form again. This time, the attachment was a weaponized Microsoft Excel file (The file is analyzed in the “Malware analysis” chapter of this report).
In other cases the attackers used the same methods - sending malware or phishing from a cloud email service (such as Gmail or Hotmail) using a username similar to that used by one of the target’s acquaintances.
The malicious email was written in the original language of the correspondence - Hebrew. But it is clear that the attackers do not know Hebrew, as they made grammatical errors in the few words they have added to it (the rest were copied from the original email). Other messages, in English and Farsi, were analyzed by several specialists3and were determined to have been written by a native Iranian Persian speaker.
2 The interview revolved around “her own way to being a linguist and an Iranist, and promoting her books "The Good, the Bad and the World - a Journey to Pre-Islamic Iran" and "The Book of Esther, Unmasked" “.
3 Three of the targets are Iran and the Middle East researchers, and two of them are native Farsi speakers. Going through numerous messages they have received, and in one case a phone call - they have determined that the writer/speaker is native in Iranian Persian.
© Clearsky - Cyber security. clearskysec.com Page 4 of 18 Below is an example of another case (the email includes the professional signature of the impersonated
Part 2 - phone calls to victims A week later, the attackers called the target’s office number. The office manager, who received the call, later said that someone with “bad English” had asked to schedule an interview. The attackers later called the target’s personal cell phone, and left a similar message with a callback number in London.
The attackers called the targets in other cases as well. For example, after breaching the password of a victim back in November 2014, the attacker called, pretending to be the assistant of a professor abroad who wished to talk to the victim. After several “unexplained” cut-offs during the call, the attacker said they should switch to Google Hangout, asking for the “conversation code” the victim had just received to his cell phone. The code was actually the second factor authentication for the victim’s Gmail account. As soon as he gave it away - the attackers took over his Gmail, Facebook and other accounts.
Part 3 - spear phishing #2 That evening, the target received an email written in Farsi, coming from a spoofed firstname.lastname@example.org email address (the real address of BBC Farsi). The message was a follow up on the call that morning, asking to
schedule the interview for the next day:
© Clearsky - Cyber security. clearskysec.com Page 5 of 18 The headers of the message indicate that it was spoofed, and was actually sent from a server in Hungary, mail5.maxer.hu.
The email contained a linked text, Document.pdf, with this URL:
https://www.google.com/url?q=http://login-users.com/DriveAuto/AutoSecond?Chk=redacted&sa=D&sntz=1&usg=redacted The URL is composed of two parts. The first part is a legitimate Google.com address, with the q= parameter.
The second part is the value of that parameter - a fake Google Drive log-in page in the attackers controlled domain - login-users.com. Upon clicking the link, the target is redirected to the address in the q= parameter.
This is a trick the attackers use to mislead the target - making her think she is about to visit a legitimate Google website.
The fake Google Drive log-in page was customized to the target; her real username was already filled in:
© Clearsky - Cyber security. clearskysec.com Page 6 of 18 The Whois information for the domain is similar to those used in legitimate Google owned domain, except
for the ‘d’ instead of ‘b’ in the “registrant-email” value: email@example.com:
The attacker sent three follow-up emails to make sure the target had received the first one, from the same server in Hungary and with the Reply-To address firstname.lastname@example.org.
Part 4 - breaking into an Israeli research institute to set up phising page #3 The next morning, several targets received an email inviting them to participate in an "Iran Israel Forum” of
an Israeli research institute. The email can be seen below (sensitive information has been redacted):
The headers of the email indicate that they the email was not spoofed, and had been sent from the research institute. As can be seen, the email contained various grammatical mistakes. Moreover, anyone who knows ______________________________________________________________________________
© Clearsky - Cyber security. clearskysec.com Page 7 of 18 the institute would notice that parts of the message are inaccurate (this will not be elaborated here in order not to expose the institute’s identity).
The words “Access To Forum” linked to a page within the real, compromised, website of the institute. The page contained more information about the “forum”, and offered four “sign in” options, as can be seen in
the screenshot below:
Clicking one of the sign-in options led to a custom made log-in page, again, with the target’s username,
email, and picture already present:
Upon submission, the victim is redirected to a static “registration confirmed” page.
Interestingly, the log file for the previous pages was hosted publicly on the same virtual folder. The log
contained the false credentials the target submitted (as she recognized this was a fake)4:
We reported the breach to the institue, and they investigated and cleaned it off. They informed us that their own servers were never breached. Rather, a server run by a researcher who was givenn a “virtual folder” within their domain was. This, of course, did not change the end result - the attackers managed to implant a fake page within the Instititue domain, and were able to send an email using the same domain. This pattern is recurring: The attackrs go after “low hanging fruits” in order to reach their goal rather than using advnaced techincal means.
Part 5 - spear phishing #4
Four days later, the target received the following email from the same fake address as in part 1:
4 The “pass” filed intermingled with the IP filed in the original log, file due to bidirectionality issues.
© Clearsky - Cyber security. clearskysec.com Page 9 of 18 The email contained the real textual signature of the sender, and the word Toda (Thank you, in Hebrew), as the sender usually writes.
The hyperlink text in the message appeared to be leading to youtube.com, but in fact linked to a fake address that only looked like a YouTube domain.
The page contained a “private Youtube video”, asking the viewer to sign in in order to watch it:
After signing in, the page redirected to a specific interview in target’s real YouTube channel - proving once again that the attacks are targeted and based on reconnaissance.
Part 6 - Abusing account recovery mechanisms During the writing of this article, the attackers continued to attempt to take over various accounts of the target. For example, they tried to fool Google into giving them access to the target’s Gmail accounts using the Google Account Recovery process5 (a process which in certain cases enables one to regain access to an account even if the password and other means of authentication are unavailable).
The attackers tried similar methods against the target’s account on Facebook and Yahoo, and had also set up a fake Hotmail account, which was used as the secondary email to which the recovered password should be sent.
Part 7 - Private messages The target has been contacted by various “weird” characters on Facebook and by e-mail. They have been asking her various questions that have nothing to do with her professional expertise and tried to contact her in various ways. The conversation are conducted in Persian.
We cannot find a direct connection between these Facebook characters and the above mentioned attacks.
However, in addition to them happening close to the attacks, we do know that at least one of the accounts is fake.
5 https://www.google.com/accounts/recovery/ ______________________________________________________________________________