Cyber Intelligence Bulletin: Malicious Cyber Activity Originating From

Company Confidential

THIS IS A COVER SHEET FOR TRAFFIC LIGHT PROTOCOL: GREEN INFORMATION

When Should It Be Used: Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

How Should It Be Shared: Recipients may share TLP: GREEN information with

peers and partner organizations within their sector or community, but not via publicly accessible channels.

For more information: https://www.us-cert.gov/tlp

Cyber Intelligence Bulletin:

Malicious cyber activity originating from the Islamic Republic of Iran is increasing in intensity January 27, 2015

Scope:

This Cyber Intelligence Bulletin (CIB) describes Indication & Warning (I&W) data collected by the global Norse DarkMatterTM intelligence network and analyzed by the Norse Fusion Intelligence team. While this report includes some new intelligence regarding attacks on industrial control systems, it is not a comprehensive survey. Later this year, Norse will publish a separate bulletin, code-named #opICS, detailing more than 500,000 attacks on Industrial Control systems over the last 24 months. Norse provides live attack intelligence to the victims in this report through our responsible disclosure policy.

Overview of Indications and Observables:

Malicious Cyber Activity from Iran is increasing in intensity

Norse has observed a significant jump in attack frequency, intensity, and sophistication originating from IP addresses and/or ‘bad actors’ connected with the Islamic Republic of Iran. (See Figure 1). Historically Norse see’s peaks at 1000 and spikes of 1500 attacks per second from Iranian controlled IP space.

Iran specifically targeted Industrial Control Systems in the United States forty-seven (47) times during 2014. There was a concentration of attack activity originating from the Iranian City of Ahar. This compares with less than 5 instances of the same activity in 2013.

Norse Intelligence Analysts closely examined 751 malicious web defacement events involving 238 unique IPs since December 16, 2014 and has connected these events with the Ashiyane Digital Security Team.

Norse is tracking several previously unknown Iranian hacking groups and associated individuals.

Attacks per second

Date of observed attacks

Figure 1 – Attacks over one month period (Dec 18, 2015 to Jan 18, 2015)

Assessment:

Norse’s overall assessment is that Iran may be ‘prepping the battlefield’ for a larger operation or offensive. This assessment is based on the uptick in recently observed traffic and the focus on ICS/SCADA with increasing sophistication.

There are indications that these web-defacement activities may in fact be connected with state-sponsored training operations for new Iranian hackers. Among other indicators, this is based on a significant increase of new alias’ names and groups observed in Iranian hacker dominated social media.

Norse assesses Iranian actors are stockpiling new command and control (C2) nodes and botnets. This is based on the combination of increased Botnet traffic and the random distribution of targets. (See figure 4 in the Analysis)

Attacks focusing on western Industrial Control Systems, specifically in the Energy sector, indicate Iran is broadening its critical infrastructure aperture to include “softer targets” than western banks.

Analysis of the 35 Most Aggressive IP Addresses Controlled by the Islamic Republic of Iran

Norse’s global network of threat intelligence sensors detected attacks emanating from 35,432 IP addresses in Iran. Our fusion analyst team has distilled this list down to the top 35 most aggressive IP’s (See Table 1) with an eye towards understanding their associated tactics, techniques and procedures (TTPs). Designation of a most aggressive IP was based on a combination of multiple factors that included the level of malicious activity (i.e. how often an IP was observed) and the degree of sophistication of the activity (i.e. how dangerous).

The tactics, techniques and procedures used to target the Norse sensor grid ranged from simple SQL web based injection attacks to more creative deception-based attacks to mask attacker sources and methods. Our analysis points to attacks from Persian based hackers based from systems they control vice remotely exploited systems. We have seen attacks targeting both Windows and UNIX vulnerabilities such as mail (SMTP), remote access - TELNET, Server Message Block (SMB), Remote Desktop Protocol (RDP) exploits to gain privilege escalations. Iran’s growing sophistication was demonstrated by the use of customized tools and advanced techniques to perform cache poisoning, obfuscation through encryption, and credential dumping.

IP Address City Organization 91.98.59.194 Pars Static-Pool-TRV 212.50.242.96 Kashan Persia System Kashan 94.182.163.74 Tehran SHATEL DSL Network 212.33.204.161 Tehran provided by Pishgaman Tose Ertebatat ISTP 2.180.26.217 Khorasan Telecommunication Company of Khorasan Razavi for A 2.180.101.221 Khorasan Telecommunication Company of Khorasan Razavi for A 37.255.110.59 Isfahan Esfahan Telecommunication Company (P.J.S.) 78.39.116.2 Yasuj Daneshgah Yasuj 178.252.133.3 Novin Novin Moje Ghaemshahr 194.225.24.11 Tehran Shahid Beheshti Univ. 85.185.67.214 Shahrood shahrood university of technology 217.219.202.141 Ilam Medical University Ilam 79.175.181.15 Abasabad AFRANET Sahand LAN 109.162.173.188 Tehran Datak WiMAX POOL 89.165.86.106 Qazvin Sabanet network in Qazvin 109.230.83.174 Jamshidiyeh Boomerang Rayaneh 37.114.204.31 Shahid Shahid Bahonar University Bahonar 79.175.173.4 Tehran Behbood Tehran ISP 91.98.98.205 Pars Static-Pool-D 37.254.47.72 Esfahan TCE ADSL Dynamic 2.186.80.134 Tabriz East Azarbayjan Telecommunication company -Tabriz 87.247.179.190 Pars Pars Data 188.159.37.67 Qom Neda Gostar Saba Data Transfer Company Private Joi 109.122.226.99 Jahan Jahan Ruye Khat 2.179.85.227 Delijan Telecommunication company 89.165.112.27 Esfahan Sabanet Isfahan Network 188.159.204.141 Shiraz Neda Gostar Saba Data Transfer Company Private Joi 78.39.133.5 Birjand Information Technology Company (ITC) 178.248.41.117 Tehran Bahar Samaneh Shargh Company Ltd. 151.232.186.168 Fars PJSC Fars Telecommunication Company 2.181.27.124 Salman Telecommunication Company of Mazandaran for ADSL u Shahr 91.98.139.172 Pars Pars Online 5.202.162.250 Pishgaman Pishgaman Toseeh Ertebatat Company (Private Joint- 79.175.174.138 Tehran Aryan Mahvareh 92.242.202.107 Karaj Respina Networks & Beyond PJSC

Table 1 - Top 35 Most Aggressive IP Addresses controlled by Iran, as detected by the Norse DarkMatter Intelligence Network (December 2014).

Targeting of Industrial Control Systems

During the course of the study, our team detected 47 separate attempts to infiltrate industrial control systems of western companies in the energy sector. The table below describes the ICS System, the company of manufacture, and the associated function of the ICS.

Industrial Control System Company Business purpose of ICS OASyS DNA Schneider Electric formally Electrical distribution and Televent energy automation1 SNC GENe GE Energy formally SNC-Lavalin Oil & Gas Pipeline Systems2 Group DNP3 (Distributed Network N/A Common communication Protocol) protocol in electric and water companies3 Spectrum Power TG Siemens Energy Management System4 PI Server OSIsoft Energy Management System for Oil & Gas5

Table 2 – Some Industrial Control Systems Targeted by Iranian Cyberattacks in 2014

During the study, Norse analysts witnessed digital reconnaissance operations originating from Iranian IP Addresses and specifically targeting Industrial Control Systems.

Our analysts observed sophisticated tactics such as hiding ICS ports/protocol scanning inside of larger port ranges to obfuscate their true intent. The adversary also used techniques designed to evade internet filtering (e.g. firewalls) such as sourcing their activity from commonly unfiltered ports such as port UDP port 53 (DNS) and TCP port (80) HTTP.

1 “Scada Oasys DNA overview” n.d, http://tinyurl.com/televent (accessed 20 January 2015) 2 Chuck, “Measuring The Impact Of GE Energy’s Acquisition Of SNC Lavalin ECS Business Unit”, 2010 http://www.newton-evans.com/measuring-the-impact-of-ge-energys-acquisition-of-snc-lavalin-ecs-business-unit/ (accessed 20 January 2015) 3 “DNP3” n.d., http://en.wikipedia.org/wiki/DNP3 (accessed 20 January 2015) 4 “Spectrum Power”, n.d. http://tinyurl.com/qyt52sb (accessed 20 January 2015) 5 “Oil & Gas Exploration & Production” http://www.osisoft.com/industry/oil-gas.aspx (accessed 20 January 2015)

Further analysis revealed a “hot spot” in Ahar Iran where 95.82.0.0/16 and 109.230.108.108/22 appear to be heavy cyberattack platforms, launching many thousands of distinct attacks over the past 24 months.

Figure 2 - Satellite Imagery of Ahar Iran, concentration of attacks against US Industrial Control Sytems

is a city in and the capital of Ahar County, East Azerbaijan Province, Iran. Ahar (اهر :Ahar (Persian was the fifth most populated city of the province with a population of 85,782 and 20,844 households6.

According to the Internet World Stats (IWS) in 2014, 40.2% of Iranian population are online. Our analysts mapped a much larger internet footprint in Ahar given ratio of population, we would expect to see only 8300 internet subscribers. We found approx. 2788 C-Class IPV4 Classless Inter-Domain Routing (CIDR) Blocks with over 700,000 Internet Protocol addresses. See figure 4 below for more information.

6 Ahar, Iran, n.d., http://en.wikipedia.org/wiki/Ahar (accessed 26 January 2015)

Figure 3 – We found approx. 2788 C-Class IPV4 Classless Inter-Domain Routing (CIDR) Blocks with over 700,000 Internet Protocol addresses.

Selected organizations with large internet footprint operating from Ahar include:

Number of C-Class Organization Number of IP’s IPV4 CIDR Blocks 1016 GOSTARESH MABNA Company 259,080

442 Telecommunication Company of Iran 112,710

252 Esfahan Telecommunication 64,260 Company 294 Fars Telecommunication 67,320 161 Information Technology Company ITC 41,055 Table 3 -Organizations with large internet footprint in Ahar

The only attribution Norse can identify for a large internet footprint is a recently constructed university campus (Ahar Azad University) and an industrial park.

Iranian Internet Organization City ICS Targeted Protocol Address 109.230.108.108 Boomerang Rayaneh Co.(Shiraz) Ahar Televent OASyS DNA 178.236.40.253 Toos-Ashena Co. Ltd Mashhad SNC GENe Televent OASyS DNA 194.225.31.3 Research Center of Theoretical Tehran Televent OASyS DNA Physics & Mathematics (IPM) 2.145.85.202 Iran Cell Service and Tehran Televent OASyS DNA Communication Company 213.207.255.122 GOSTAREH ONLINE Tehran SNC GENe 217.218.127.250 Telecommunication Tehran Televent OASyS DNA Infrastructure Company(TIC) 37.254.196.159 ESFAHAN DATA DEPARTMENT - Bandar-e-Abbas OSIsoft PI Server TCE ADSL Dynamic 37.63.180.34 AsiaTech Telecom Limited Tehran Televent OASyS DNA 79.175.173.244 Mr. Abbas Ramedani Tehran (Niroo DNP3 Havayi) 89.165.0.14 Neda Gostar Saba (Main) Tehran SNC GENe (Sabanet) 95.82.104.126 Hesabgar Ahar Siemens Spectrum Power TG SNC GENe Televent OASyS DNA 95.82.104.98 Hesabgar Ahar SNC GENe Televent OASyS DNA 95.82.111.153 Hesabgar Ahar Siemens Spectrum Power TG SNC GENe 95.82.111.179 Hesabgar Ahar SNC GENe Siemens Spectrum Power TG Televent OASyS DNA 95.82.99.191 Hesabgar Ahar Siemens Spectrum Power TG Televent OASyS DNA

Table 4 – Aggressive Iranian IP addresses targeting industrial control systems. Note that 6 of the 15 geographically resolve to Ahar.

Diversified Attack Analysis

Our team analyzed and plotted the web defacements originating from Iran (Figure 5). These attacks are geographically distributed and there does not appear to be any overarching pattern to the targeting. While these attacks initially appeared to be non-specific and random, our assessment is that these are in fact part of an Iranian program to train future “cyber warriors”. Some of the targets appear barely compromised; while others appear to have been completely suborned as command and control (C2) nodes for malware. In other words initial activity (web defacements) are used to support the training mission; however, once compromised, selected targets are being exploited to stockpile new command and control (C2) nodes and botnets.

Figure 4 - Plot of web defacements

( هورگ ی ت ی نما ه نای شآ) Ashiyane Digital Security Team (DST) Attack Attribution

All of the web defacements were attributed to the hacking collective known as the “Ashiyane Digital Security. In most cases DST leaves a “calling-card” or statement where they self-identify as the actor or member of the group in the attack. For example, DST defaced the website of a public facing authentication system in the city in Norway, hekseberg-asen.no which is hosted by Uniweb AS in Norway See figure 5 below.

Figure 5 - Screenshot of DST's calling card left at www.hekseberg-asen.no/Net-Hacker.php a DST exploited site visited January 10, 2015

Ashiyane Digital Security Team (DST) is one of the more well-known Iranian hacking organizations; their western-facing organizational website is located at http://ashiyane.org/

ADST was founded in 2002 by Behrouz Kamalian, aka “Behrooz_Ice”, who personally moderates Ashiyane.org’s forums. Interestingly, the Ashiyane Digital Security Team (DST) has a very different Iranian-facing presence on their website located at http://www.ashiyane.ir/.

There, the “Ashiyane Security Center” offers a variety of security capabilities to interested prospects, including “Ashiyane Penetration Test of Servers & Networks”, “Ashiyane Manage and Support Servers Security”, and “Ashiyane Providing Security of Servers & Networks”. All of Ashiyane’s web and information security assets are physically hosted within the borders of Iran.

Recent Compromise: Ashiyane Digital Security Team (DST)

In January 2015, The Ashiyane Digital Security Team defaced 17 websites hosted by a Norwegian webhosting firm, Uniweb AS. The Uniweb team reported network impacts on their Twitter feed during the attack. On January 12, 2015 Uniweb commented, “Due to a major offensive against our online [services]we are currently experiencing problems with traffic from abroad. We are working to resolve this.”

Figure 6 – Screenshot of Uniweb’s twitter account showing their response to defacements Source: https://twitter.com/uniwebno

Conclusion

Norse’s overall assessment is that Iran is preparing for something bigger. This assessment is based on the uptick in recently observed traffic attributed to both training and additional stockpiling of C2 and botnets, combined with and increased focus on western Industrial Control Systems, specifically in the Energy sector.

For further information on this report, send inquiries to:

Phil Fuster Vice President, Sales +1 (240) 461-7000 Direct +1 (314) 480-6450 Main +1 (240) 489-7868 Fax [email protected]