FireEye released a report on Tuesday, focusing on a group from Iran known as the Ajax Security Team (AST). Explaining their focus, FireEye said that the group's methods have "grown more consistent with other advanced persistent threat (APT) actors in and around Iran" since the late 2000s.
"The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement," FireEye said in a blog post on the report.
FireEye says that they've observed AST conducting attacks against organizations in the defense industrial base (DIB), as well as local Iranians that support or use anti-censorship tools.
In all, FireEye said they identified 77 victims from a single command and control server. Of the victims, 44 of them had their time zone changed to Iran Standard Time, and 37 had their language set to Persian.
This data is what FireEye used to determine that the majority of the AST targets resided in Iran. The attacks themselves were linked to AST by way of an email used to register a domain created for a Phishing attack, and ajaxtm[.]org, one of the group's primary URLs (now defunct).
However, FireEye's report makes it clear that the status of the relationship between AST and the Iranian government is unknown. With that said, why is this group being singled out? Who are they? What have they done?
With the help of a fellow security wonk (@krypt3ia) on Twitter, Salted Hash was able to answer some of those questions.
Interestingly enough, the more one examines this group, the less likely it is that they're a state-sponsored team. In fact, there only seems to be a handful of them active at any given moment.
In FireEye's report, the company focused on a person going by the name "HUrr!c4nE!," likely because their email address is tied to one of the AST domains, as well as all of the tagging done by this individual when they deface a website – the reasoning wasn't explained by the report.
However, the other half of AST, known online as "Cair3x," barely earned a mention.
The lack of mention for "Cair3x" is odd, considering a simple Google search not only shows his connections to AST, but also identifies him. These details are found in a report from the International Institute for Counter-Terrorism (ICT).
The ICT Cyber-Terrorism Activities Report, published in December of 2013, mentions AST in a round-up of known Iranian hacking groups, but is careful to separate them form known terrorist organizations.
"Ajax Team is another hacker group that has been operating in Iran for a number of years, led by Ali Ali Pur (aka Cair3x). Similar to other hacker groups, Ajax Team carries out at least part of its activity in the framework of a security company."
Moreover, the ICT report points out that, like all other Iranian groups operating currently, AST is pro-government and maintains an anti-Western / anti-Israel stance. If this world-view seems familiar, it's because the AST has the same values as the Iranian Cyber Army.