FBI, CISA Detail How Iran Launched Destructive Cyberattack
Iranian hackers rambled across the Albanian government’s network for 14 months before launching a destructive cyberattack in July that temporarily paralyzed the southern European country’s online service portal for citizens.
See Also: C-Suite Round-up: Connecting the Dots Between OT and Identity
The attackers gained initial access by exploiting a vulnerability in an internet-facing Microsoft SharePoint instance, after which they conducted reconnaissance, moved laterally, harvested credentials and exfiltrated emails, the Cybersecurity and Infrastructure Security Agency says in an advisory published Wednesday with the FBI. Microsoft independently identified the initial vulnerability as CVE-2019-0604, a remote code execution vulnerability.
In July, attackers launched a ransomware attack and reacted to network defenders attempting to stymie malicious encryption by deploying a version of ZeroCleare wiper malware. Hackers dropped onto government desktops messages decrying the Mujahedin-e-Khalq, a group dedicated to the overthrow of the Islamic Republic of Iran. Members of MEK resettled in Albania after living in a former U.S. military base outside Bagdad.
An entity calling itself HomeLand Justice claimed responsibility for the cyberattack, leaking online what appears to be the residential permits of Mujahedin-e-Khalq members.
The attack led Albania earlier this month into cutting diplomatic ties with Iran and the United States to impose additional sanctions on Tehran. Iran responded with a second wave of cyberattacks temporarily disabling Albania’s border-crossing system (see: Albania Recovers From Second Iranian Cyberattack).
Technical Details
As detailed by the U.S. government, hackers established persistence by installing web shells – small pieces of code acting as malicious implants. They used the remote desktop protocol for lateral movement within the Albanian government’s domain.
A compromised Microsoft Exchange account let them run searches and create a new account with elevated admin privileges.
About eight months after the initial compromise, hackers transferred between 3GB and 20GB of data from an Exchange server. Two months before the July attack, the threat actors connected to the IP addresses of the Albanian government’s virtual private network appliance, compromised two accounts and deployed a free network scanner to find open ports.
The FBI also found evidence that the attackers had executed Mimikatz, an open-source application that allows users to view and save authentication credentials, and had used LSASS dumping, a lateral movement tactic.
When the time came to shift the focus of the attack, the hackers logged onto a print server using remote desktop protocol and activated FileCryptor, a ransomware-style file encryptor. They then shifted to the disk wiper tool.