U.S. cyber security company Symantec has revealed the existence of a new Iranian proxy hacking group they have named ‘Leafminer’ and that have been operating since early 2017. Leafminer is engaged in cyber espionage against government and commercial targets throughout the Middle East, to include Saudi Arabia, Lebanon, Israel, UAE, Kuwait, Qatar, Bahrain, Egypt, and Afghanistan.
Symantec’s analysis of Leafminer suggests that it adheres to a particular Iranian approach to cyber espionage and warfare, namely through its use of proxies and the use of well-known cyber tools (as opposed to unique and purpose-built tools), even though the company is careful not to explicitly link the group to the Iranian government.
According to Symatec, Leafminer has been operating since at least early 2017 and is engaged in cyber espionage against over 800 targets that include government departments and security services, financial services, utilities and energy companies, telecommunication companies, and transportation and airlines, among others. Leafminer seem to be most active in the Kingdom of Saudi Arabia, Lebanon, Israel, and Kuwait.
“[Leafminer’s] ambitious goal of targeting at least 800 different organizations across the Middle East is what sets them apart,” from other Iranian proxy groups, said Vikram Thakur, technical director at Symantec.
Symantec believe that Leafminer uses three methods for acquiring the information it seeks:
- Compromised web servers and so-called ‘watering hole’ websites. According to Symantec, Leafminer creates false-flag websites on compromised web servers that lure would-be victims. These websites are infected with malicious code that once accessed by the victim provide Leafminer with access to the networks they are interested in. Symantec notes that the malicious code and method used by Leafminder in creating watering-hole websites is the same as the Russian-linked ‘Dragonfly’ hacker group that has been attacking energy sector targets in Turkey, Switzerland, and the United States;
- Vulnerability scans and exploitation techniques. Leafminer are thought to scan their targeted networks and computers regularly and are quick to exploit newly discovered vulnerabilities and software flaws, thus gaining access. Symantec also believe that Leafminer have repurposed and used a tool originally developed by the U.S. National Security Agency (NSA) and Central Intelligence Agency (CIA), but were either leaked or stolen and then publicly released by the Shadow Brokers group that is thought to be linked to Russian intelligence services;
- Brute-force password hacking, also known as Dictionary attacks. Symantec report that Leafminer also uses Dictionary attacks against targeted computers and databases. Dictionary attacks use widely available software and methods to guess passwords by using computing power to rapidly and repeatedly use a recombination of letters and numbers until a correct password is found.
Symantec claim that Leafminer, while mostly reliant on existing exploitation tools, did develop its own Malware to move the stolen data from host computers and databases to a server operated by the group in Azerbaijan. From there, it is thought that the stolen data is then transferred to a server located in Iran where it is presumably passed on to Iranian intelligence services for analysis and possible further exploitation.
Based on its analysis, Symantec believe that Leafminer are relatively inexperienced compared to other Iranian proxy cyber groups, an assessment based on the poor operational security of the group that led to its prompt discovery and exposure.
Iran has demonstrated a preference for using deniable proxy groups for the majority of its cyber operations. Leafminer, while relatively inexperienced when compared to other Iranian cyber proxy groups, seems to adhere to Iranian methods that emphasize the use of pre-existing tools and exploits, to include repurposed (yet powerful) tools such as Stuxnet (the Iranian, repurposed version becoming Shamoon) and the NSA/CIA tools that were released by the Shadow Brokers.
The existence of Leafminer comes at a time when Iran is engaged in a wider proxy conflict with Saudi Arabia and UAE in Yemen, and is under increasing pressure from the United States and Israel. Iran has a track record in using proxy cyber groups as an additional tool in its irregular conflicts with opponents, and as a response to diplomatic and economic pressure.
While Leafminer’s exposure was due to poor operational security by its members, Iranian proxy cyber groups are gaining a reputation for carrying out damaging and even sophisticated cyber operations. Many analysts assume that while Leafminer has been exposed, other Iranian cyber proxy groups are likely operating undetected throughout the Middle East and beyond.