Iranian cyber-espionage on Israel, Europe and the US

A previously suspected but unidentified hacking group now being dubbed “MalKamak” continues to be operating in the wild, according to a new Iranian cybersecurity research paper published on Wednesday.  

The cyber-espionage threat actors have now been identified as Iranian, and their targeting of companies from Europe, the U.S. and the middle east appears to be ongoing since 2018. 

The research report has been published by a cybersecurity research group who were responding to an incident during which an Israeli company had come under a cyber-attack from a remote access trojan they dubbed “ShellClient”. ShellClient is designed to infect a network remotely and remain dormant for as long as possible, retaining information without causing damage as to avoid detection.  

The head of the research Group, Assaf Dahan, released the following statement on the incident and subsequent findings:  

"The investigation began after Cybereason's Incident Response Research Team was called in to assist one of the attacked companies," Dahan said. "During the incident and after installing our technology on the organization's computers, we identified sophisticated and new damage that has yet to be seen or documented. Deep investigative work found that this is just one part of an entire Iranian intelligence campaign that has been conducted in secret and under the radar for the past three years. From the few traces left behind by the attackers, it is clear that they acted carefully and selected their victims thoroughly. This is a sophisticated Iranian attacker who acted professionally according to a considered and calculated strategy. The potential risk inherent in such an assault campaign is large and significant for the State of Israel and may pose a real threat." 

The direct impact of the incident and damage to the victims is yet to be determined. 

The most interesting and unique part of the cyber-espionage attacks being performed by MalKamak is the way the group is able to employ public programs such as Dropbox for command-and-control constructs, essentially hiding in plain sight whilst remaining undetected by antivirus software and monitoring.  

Speaking on the discovery of the new ways the threat actors are employing Dropbox, Dahan said: 

"The malware has evolved a lot over the years […] In 2018, the code was very simple, but it has become very sophisticated. Earlier this year, the group abandoned its old server infrastructure and replaced it with Dropbox file hosting, a simple way to hide it within plain sight. In recent years, we are seeing that more cyber threat actors abuse different cloud services like Google Drive, Dropbox and Github, as they provide the perfect camouflage. Although once we know what we are looking for, it makes it easier to uncover other things." 

The main aims of the espionage seem to be surveillance on Aerospace and Telecommunications organizations in Israel as well as the US and Europe. This poses the question as to why the surveillance is being carried out, and why so much time and resources are being used by the hacking group.  

Speaking on the possibility of the operation being run and funded by the Iranian state, Dahan acknowledged that "This was a very sophisticated operation that has all the hallmarks of a state-sponsored attack,". He went on to say that “while other Iranian groups are involved with more destructive acts, this one is focused on gathering information. The fact that they were able to stay under the radar for three years shows their level of sophistication. We assess that they have been able to exfiltrate large amounts of data over the years- gigabytes, or even terabytes. We don't know how many victims there were before 2018."