Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm

Stuart Davis, a director at one of FireEye's subsidiaries speaks to journalists about the techniques of Iranian hacking on Wednesday, Sept. 20, 2017, in Dubai, United Arab Emirates. A new report by FireEye, a cybersecurity firm, warned that a suspected group of hackers in Iran are targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea. (AP Photo/Kamran Jebreili)
Updated 20 September 2017

Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm

DUBAI: A group of hackers suspected of working in Iran for its government is targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea, a cybersecurity firm warned Wednesday.
The report by FireEye also said the suspected Iranian hackers left behind a new type of malware that could have been used to destroy the computers it infected, an echo of two other Iran-attributed cyberattacks targeting Saudi Arabia in 2012 and 2016 that destroyed systems.
Iran’s office at the United Nations did not immediately respond to a request for comment Wednesday and its state media did not report on the claims. However, suspected Iranian hackers long have operated without caring if people found it was them or if there would be consequences, making them incredibly dangerous, said Stuart Davis, a director at one of FireEye’s subsidiaries.
“Today, without any repercussions, a neighboring country can compromise and wipe out 20 institutions,” Davis said.
FireEye, which often works with governments and large corporations, refers to the group as APT33, an acronym for “advanced persistent threat.” APT33 used phishing e-mail attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from Boeing Co. or defense contractors.
The hackers remained inside of the systems of those affected for “four to six months” at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter. The coding contains Farsi-language references, the official language of Iran, FireEye said.
Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek, Davis said. The programs used in the campaign are popular with Iranian coders, servers were registered via Iranian companies and one of the spies appears to have accidentally left his online handle, “xman_1365_x,” in part of the code.
That name “shows up all over Iranian hacker forums,” FireEye’s John Hultquist said. “I don’t think they’re worried about being caught. ... They just don’t feel like they have to bother.”
The Associated Press was able to find other clues pointing to an Iranian nexus. One of the e-mail addresses used to register a malicious server belongs to an Ali Mehrabian, who used the same address to create more than 120 Iranian websites over the past six years.
Neither Mehrabian, who listed himself as living in Tehran, nor “xman” returned e-mails seeking comment.
Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran’s contested nuclear program. Stuxnet is widely believed to be an American and Israeli creation.
Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas. The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.
A second version of Shamoon raced through Saudi government computers in late 2016, this time having the destroyed computers display a photograph of the body of 3-year-old Syrian boy Aylan Kurdi, who drowned fleeing his country’s civil war. Suspicion again fell on Iran.
FireEye’s report said it believed APT33 “is likely in search of strategic intelligence capable of benefiting a government or a military sponsor.”
High on the list of any potential suspects within Iran would be its paramilitary Revolutionary Guard. US prosecutors in March 2016 accused hackers associated to Guard-linked companies of attacking dozens of banks and a small dam near New York City. Hackers linked to the Guard also have been suspected of targeting the e-mail and social-media accounts of Obama administration officials.
Associated Press writer Raphael Satter in Paris contributed to this report.

Key events in Egypt since the 2011 pro-democracy uprising

President Abdel-Fattah El-Sisi. (Supplied)
Updated 21 April 2019

Key events in Egypt since the 2011 pro-democracy uprising

CAIRO: Here are key events in eight years of turmoil and transition in Egypt, leading up to a national referendum on constitutional amendments that could allow President Abdel-Fattah El-Sisi to remain in power until 2030.

● Feb. 11, 2011: Autocrat Hosni Mubarak steps down after 18 days of nationwide protests against his nearly 30-year rule. The military takes over, dissolving Parliament and suspending the constitution after the uprising leaves hundreds of protesters dead in clashes with security forces.

● Nov. 28, 2011-Feb. 15, 2012: The Muslim Brotherhood wins nearly half the seats in multi-stage elections for the first post-Mubarak Parliament.

● June 30, 2012: The Muslim Brotherhood’s candidate Muhammad Mursi takes office as Egypt’s first freely elected president.

● Aug. 12, 2012: Mursi removes the defense minister and military chief, Field Marshal Hussein Tantawi, and replaces him with El-Sisi.

● Nov. 22, 2012: Mursi unilaterally decrees greater powers for himself, a move that sparks days of protests.

● Dec. 15-22, 2012: Egyptians approve a constitution drafted and hastily passed by Parliament amid protests and walkouts by other groups.

● June 30, 2013: On Mursi’s anniversary in office, millions of Egyptians begin days of demonstrations demanding his resignation. The military gives him 48 hours to reach an agreement with his opponents, but he vows to remain in office.

● July 3, 2013: El-Sisi announces Mursi’s removal.

● Aug. 14, 2013: More than 600 people, mostly Mursi supporters, are killed when police clear two pro-Mursi sit-ins in Cairo. Mursi supporters retaliate by torching government buildings, churches and police stations. Hundreds more die in subsequent violence.

● Dec. 25, 2013: The government designates the Muslim Brotherhood a terrorist organization.

● May 26-28, 2014: Egyptians vote in a presidential election. El-Sisi wins with 96.9 percent of the vote.

● May 16, 2015: Mursi and more than 100 others are sentenced to death over a mass prison break during the 2011 uprising.

● Oct. 2015: Egypt holds parliamentary elections, leading to an assembly packed with El-Sisi supporters.

● April 2, 2018: El-Sisi wins a second, four-year term in office, with more than 97 percent of the vote.
● Feb. 2019: Lawmakers submit proposed amendments to the constitution that allow El-Sisi to remain in power beyond his current second four-year term.

● April 10: President Donald Trump welcomes El-Sisi to the White House for a second official visit.

● April 17: The Parliament, packed with El-Sisi’s supporters, overwhelmingly passes the proposed amendments.

● April 18: Egypt’s National Election Authority schedules three days of voting in a nationwide referendum on the amendments. The vote takes place Saturday through Monday.