Network security company FireEye released a research report today titled “Operation Saffron Rose”, which documented activities of the Ajax Security Team – a cyber-espionage group likely based in Iran.
According to its media statement, the Ajax Security Team has progressed from mostly defacing websites in 2009, to full-blown espionage against Iranian dissidents and U.S. defense firms today. The report findings suggested that Ajax’s methodologies have grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber attacks against Iran in the late 2000s.
“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher of FireEye.
“We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives,” he added.
The targets of Operation Saffron Rose include Iranian dissidents and U.S. defense organisations. FireEye recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.
It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. The team uses malware tools that do not appear to be publicly available. In fact, they use varied social engineering tactics as a means to lure their targets into infecting themselves with malware. Although FireEye have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.
Additionally, FireEye uncovered information on 77 victims from one command-and-control (CnC) server found while analysing malware samples disguised as Proxifier or Psiphon. Analysing data on the victims, FireEye found that a large concentration had their time zones set to “Iran Standard Time” or language set to Persian.
Is the Ajax Security Team a huge threat?
The increased politicization of the Ajax Security Team, and the transition from nuisance defacements to operations against internal dissidents and foreign targets, coincides with moves by Iran aimed at increasing offensive cyber capabilities.
While the relationship between actors such as the Ajax Security Team and the Iranian government is unknown, their activities appear to align with Iranian government political objectives – making them one to watch out for.
The capabilities of the Ajax Security Team remain unclear. Although FireEye’s observation has revealed that they do not use exploits to deliver malware, it is still uncertain if they or other Iranian actors are capable of producing or acquiring exploit code.
Sign up for CIO Asia eNewsletters.