Iran targeting international IP for theft and extortion

The U.S. Department of Justice indicted Behzad Mesri, aka Skote Vahshat, on charges of hacking into HBO and stealing Game of Thrones episodes. Following the theft of the unaired episodes, Mesri allegedly attempted to extort HBO for $6 million in Bitcoin.

Mesri, whose face now graces an FBI Wanted Poster, is not in custody. Apparently, he is well known to the FBI, which stated, Mesri had “previously hacked computer systems for the Iranian military.”

FBI

More specifically, Mesri is known to have successfully “conduct computer network attacks that targeted military systems, nuclear software system, and Israeli infrastructure.” The DOJ also says Mesri, using his alias Skote Vahshat, has been a member of the Iranian hacking group, Turk Black Hat security team, which conducted “hundreds of website defacements.”

‘We must defend our technology from Iran’

While the theft of HBO’s intellectual property may not rise to the level of a national security issue, Check Point chairman Marius Nacht warned at a recent Ernst & Young Journey Conference that Iran (and North Korea) are a threat and must be addressed at the national level, and “we must defend our technology from Iran.” Specifically, Nacht noted that if important national assets are not protected, they will be exploited by these countries and used to compete against the U.S. and Israel.

While Nacht was speaking in broad terms, he is correct, as we have seen Iran’s espionage capabilities have a powerful bite, with hackers from the Iranian Islamic Revolutionary Guard Force (IRGC) having successfully targeted the U.S. financial systems and the SCADA network of a New York dam.

Iran’s been busy bypassing technology embargos

Iran has successfully used a circuitous methodology to bypass the current technology embargos by creating or employing companies to act as middle men in their acquisition chain.

The Minnesota Star Tribune tells us of a Minnesota firm that was tricked into illegal shipments of “dual use” technology, “which can be used in civilian products or in weapons guidance systems that would fall under the international export controls.” The Minnesota firm sent the technology to a Malaysian company, Green Wave Telecommunication, which was acting as a procurement agent for the Iranian government.

We have also seen, via the research provided by Secureworks Counter Threat Unit, the existence of the fake persona Mia Ash. Mia Ash created fake profiles on various social networks, including Facebook, DeviantArt and LinkedIn, for the express purpose of socially engineering information of interest from targets and delivering to the target’s systems a remote access trojan (RAT).

Secureworks noted that Mia Ash’s “connections” within LinkedIn matched many of Mia Ash’s “friends” on Facebook. She successfully used her “photography persona” to engender trust and credibility while targeting individuals in the U.S., Israel and Saudi Arabia, among others. These individuals worked in the oil/gas, healthcare, and aerospace industries. Secureworks attributes the creation of Mia Ash to COBALT GYPSY aka OilRig, an Iranian hacker group.

And finally, U.K. parliamentarians, including Prime Minister Theresa May, have been subjected to “brute force” attacks that successfully compromised 90 email accounts, according to the U.K.’s Telegraph. The Iranian hackers, believed to be members of Iran’s IRGC, attacked the email system, affecting a total of 9,000 accounts. The attackers “repeatedly probed ‘weak’ passwords” of the parliamentarians and their staff, and when successful, locked the user out of their own email accounts.

Iran a formidable adversary

Be it Game of Thrones or embargoed technology, there is no doubt that Nacht has it right: The Iranian threat is real. They have demonstratively shown their ability to penetrate and steal intellectual property from enterprises. Their hand in the financial world evidences their ability to move money as necessary. And finally, they have proven themselves adroit in the art of social engineering and the use of social networks to compromise and/or exploit individuals. Iran is after technology they can’t obtain legitimately due to sanctions, and your entity may be next.