Ajax Security Team: Are they Iran’s latest threat?

FireEye released a report on Tuesday, focusing on a group from Iran known as the Ajax Security Team (AST). Explaining their focus, FireEye said that the group’s methods have “grown more consistent with other advanced persistent threat (APT) actors in and around Iran” since the late 2000s.

“The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement,” FireEye said in a blog post on the report.

FireEye says that they’ve observed AST conducting attacks against organizations in the defense industrial base (DIB), as well as local Iranians that support or use anti-censorship tools.

In all, FireEye said they identified 77 victims from a single command and control server. Of the victims, 44 of them had their time zone changed to Iran Standard Time, and 37 had their language set to Persian.

This data is what FireEye used to determine that the majority of the AST targets resided in Iran. The attacks themselves were linked to AST by way of an email used to register a domain created for a Phishing attack, and ajaxtm[.]org, one of the group’s primary URLs (now defunct).

However, FireEye’s report makes it clear that the status of the relationship between AST and the Iranian government is unknown. With that said, why is this group being singled out? Who are they? What have they done?

With the help of a fellow security wonk (@krypt3ia) on Twitter, Salted Hash was able to answer some of those questions.

Interestingly enough, the more one examines this group, the less likely it is that they’re a state-sponsored team. In fact, there only seems to be a handful of them active at any given moment.

In FireEye’s report, the company focused on a person going by the name “HUrr!c4nE!,” likely because their email address is tied to one of the AST domains, as well as all of the tagging done by this individual when they deface a website – the reasoning wasn’t explained by the report.

However, the other half of AST, known online as “Cair3x,” barely earned a mention.

The lack of mention for “Cair3x” is odd, considering a simple Google search not only shows his connections to AST, but also identifies him. These details are found in a report from the International Institute for Counter-Terrorism (ICT).

The ICT Cyber-Terrorism Activities Report, published in December of 2013, mentions AST in a round-up of known Iranian hacking groups, but is careful to separate them form known terrorist organizations.

“Ajax Team is another hacker group that has been operating in Iran for a number of years, led by Ali Ali Pur (aka Cair3x). Similar to other hacker groups, Ajax Team carries out at least part of its activity in the framework of a security company.”

Moreover, the ICT report points out that, like all other Iranian groups operating currently, AST is pro-government and maintains an anti-Western / anti-Israel stance. If this world-view seems familiar, it’s because the AST has the same values as the Iranian Cyber Army.

The aforementioned company used by AST, Pars Security (Pars Pardazesh Hafez Shiraz Ltd.), offers a wide range of services, including penetration testing, wireless hacking, and security training.

According to the company’s website, it was founded in order to provide “services to the private and public sectors…based on over 5 years of experience in the field of IT and in managing the Ajax hacker group…”

Keeping with the pro-Iranian stance, AST’s Ali Ali Pur spent a considerable amount of time showing off his website defacements and spreading pro-Iranian propaganda on ajaxtm[.]com – his personal blog. Shortly after the FireEye report was published, he started deleting the website.

However, a post referencing money problems, leading to an inability to pay for hosting, seems to contradict the notion that the group is government funded – or well-funded at all for that matter.

Throughout their existance, the group has done a number of website defacements and coordinated attacks on individuals. Likewise, they’ve disclosed vulnerabilities in various Web apps, as well as leveraged known vulnerabilities in order to deface a given target. Moreover, in recent times, they’ve either written or purchased code (a Remote Access Trojan) to target anti-censorship supporters.

Given the money problems, it’s a better bet that they adapted code for their usage, or someone coded it for them – it isn’t uncommon for programmers to support nationalistic hackers.

However, these actions don’t make them a state-sponsored group or “APT” actors. Based on everything that’s presented in the FireEye report and established online, nothing they’ve done is really advanced. Targeting low-hanging fruit is the easiest path to success, and even rookie criminals know that rule.

All things considered, everything that’s in the public eye about them places this group in the same context as the Iranian Cyber Army or the Syrian Electronic Army. In short, they’re a low-level threat.

There’s nothing wrong with watching them, or being aware of their methods and activities, but they’re not a group that needs to be panicked over. Moreover, the threads used to tie AST to the DIB attacks are being called into question.

“The ‘Ajax Security Team’ appears to have connections with both traditional cyber crime organizations as well as government entities, however without additional information it is unknown if they work directly for a government or are possibly contracted. The affiliation with Iran is even circumstantial without additional information,” Adam Kujawa, head of Malware Intelligence at Malwarebytes, said.

In their blog on the topic, FireEye makes mention of malware that was previously unknown to the security community being used by AST in their attacks on anti-censorship supporters.

This unique malware is one of the key pieces of the report, and something that is used to single them out as a threat and tie them to the Iranian government. But does it really tie them to anything?

“The biggest problem with trying to attribute nation-state malware to a specific country is that without hard evidence or the country in question admitting they own the malware, it can be made to look like it came from anywhere… Purchasing a server, including a foreign language or time zone and even using common applications known to a specific country (in this case the Iran anti-censorship software) could all be red herrings,” Kujawa added.