14 DAY TRIAL // FireEye has published a comprehensive report on the activities of the Ajax Security Team, a hacker group that’s believed to be based in Iran. What’s interesting about this group is that it started by defacing websites and evolved to the point where they’re conducting sophisticated cyber espionage operations.
In a report dubbed Operation Saffron Rose, experts reveal that the group has been defacing websites since 2010 up until December 2013. In fact, they’ve defaced several websites as part of the campaigns dubbed OpIsrael and OpUSA.
However, over the past months, the group has evolved a great deal. The Ajax Security Team has targeted US defense companies and Iranians who attempt to bypass the country’s Internet filtering systems with the aid of anti-censorship technologies.
Their attack arsenal includes spear phishing, credential phishing and malware-laden versions of anti-censorship tools. While they haven’t used any exploits in order to infect their targets, the hacker crew has utilized exploit code in website defacements.
They rely on a malware family dubbed “Stealer” to carry out their operations. The threat is capable of collecting system information, logging keystrokes, capturing screenshots, harvesting instant messaging account data, tracking browsing activities, and collecting email account information.
It can also extract configuration information from proxy software installed on the infected computer, and harvest data from cookies.
While FireEye hasn’t precisely determined what the group is capable of, their operations appear to have been somewhat successful judging by the number of victims. Experts highlight the fact that their methodology is similar to the one of other advanced persistent threats from this region.
Researchers say the Ajax Security Team’s objectives appear to be in line with Iran’s effort to track the moves of political dissidents and expand the country’s offensive cyber capabilities.
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran's efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye and one of the authors of the report.
“We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets' machines for longer-term initiatives.”
It’s unclear at this point if this group is part of a larger coordinated effort, but experts believe that the group will further improve its capabilities in the upcoming period.
The complete report on Operation Saffron Rose is available on FireEye’s website.