Iran was behind a large number of cyber-attacks carried out against the Post Office, several local government networks, as well as UK-based private sector companies, including banks, just prior to Christmas, Sky News has revealed.
According to the news site, the cyber-attacks were largely successful as hackers sponsored by Iran and linked to the Iranian Revolutionary Guard were able to steal email addresses, mobile numbers and other personal details of thousands of local government and Post Office employees, including those of the Post Office chief executive Paula Vennells.
It is now believed that these stolen credentials will be spoofed to impersonate government employees and executives to either influence elections or to target other government employees with new spear-phishing attacks, thereby luring them into divulging more details about their organisations.
Iran launched cyber attacks to avenge the indictment of own hackers
According to Sky News, the cyber attacks were likely in response to the indictment of nine key leaders of the Iran-based Mabna Institute by the FBI in February last year on several counts of wire fraud, theft of proprietary data, and accessing computer systems without authorisation. The UK’s National Cyber Security Centre had publicly congratulated the FBI for nabbing people linked to the Mabna Institute.
In a press release, NCSC said that it assessed with high confidence that “the Mabna Institute are almost certainly responsible for a multi-year Computer Network Exploitation (CNE) campaign targeting universities in the UK, the US, as well as other Western nations, primarily for the purposes of intellectual property (IP) theft.”
“The UK Government judges that the Mabna Institute based in Iran was responsible for a hacking campaign targeting universities around the world. By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense,” said Lord Tariq Ahmad, the Foreign Office Minister for Cyber.
“We welcome the US indictments. It demonstrates our willingness and ability to respond collectively to cyber-attacks using all levers at our disposal. The focus on universities is a timely reminder that all organisations are potential targets and need to constantly strive for the best possible cyber security,” he added.
According to Sky News, Mabna Institute was reorganised following the indictment of high-profile members and now includes new members from countries like Lebanon, Palestine, and Syria. While there is no official confirmation yet on the involvement of the Mabna Institute in the cyber-attacks on UK-based organisations in December, NCSC told Sky News that it was “aware of a cyber incident affecting some UK organisations in late 2018” and that it was “working with victims and advising on mitigation measures”.
Iran targeted UK universities too
The cyber-attacks targeting local government organisations, the Post Office, and other private sector companies weren’t the first such attacks attempted by Iranian hackers last year. In August last year, research by SecureWorks revealed a massive domain-spoofing campaign that targeted domains of 76 universities in over fourteen countries, including the UK, the U.S., and Australia.
After examining the IP address of a fake webpage that spoofed the URL of a university, the researchers stumbled upon as many as 16 domains that contained over 300 spoofed websites and login pages for 76 universities.
According to SecureWorks, many of the fake domains were registered between May and August this year and many of them resolved to the same IP address and DNS name server, indicating that the campaign was orchestrated by a single hacker group which is probably close to the government of Iran.
“The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government. In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems,” the firm said.