U.S. Veterans Targeted by Iranian State Hackers

In a recent post, I suggested that the U.S. had declared cyberwar against Iran. This was made clear when President Trump gloated over the misfiring of one of Iran’s rockets. In fact, Iran has had trouble testing numerous missiles and rockets ever since George W. Bush gave a thumbs-up to the infamous Stuxnet attack which temporarily brought down Iran’s nuclear program.

The U.S. may be coy about admitting to this cyberwar but Iran is not. In a recent interview, Iranian Foreign Minister, Javad Zarif, stated that, “there is a cyber war and Iran is engaged in that cyber war,” and “any war that the United States starts it won’t be able to finish.”

In fact, ever since the U.S. interfered in its rocket launch, Iran has ramped up its cyber attacks on the U.S. The physical attack on the Saudi Aramco oil facilities was only one example of the kind of retaliation Iran is capable of. The drones it used in this attack were copies of an American drone it captured in 2011 and backward engineered to produce its own drone fleet. This was a sophisticated attack which must have been planned for a long time. The signal Iran has received from Washington is that President Trump is not interested in traditional war and would prefer a cyberwar. Coincidentally, the Aramco attack occurred shortly after regime-change, bomb-Iran, war hawk, John Bolton, stepped down. In other words, Iran must believe it has no obstacles in its way for any military strike. It must also believe that its cybersecurity architecture is strong enough to withstand any cyber attack that the U.S. could launch. The Aramco attack was only an oblique attack on the U.S. It would not seem to satisfy the Iranian’s thirst for revenge for its lost rockets and missiles. This lust for revenge coupled with their lack of fear of a U.S. cyber counterstrike has emboldened Iran to find and exploit new targets in America.

Now, it looks like Iran has identified a cyber gateway. It is now clear that they are trying to infiltrate the U.S. military cyber network by targeting veterans. Iran is well-aware of the fact that the main U.S. military networks are locked down and would be difficult to penetrate with a direct attack. So Iran does what every other hacker does: They try to breach the network by exploiting its endpoints. The more indirect such attacks are, the better chance they have at succeeding.

Here’s how the current attack was set up. Apparently, Iranian cyber attack teams found that many veterans are having problems finding good jobs. With this in mind, the Iranians set up a fake website, In this case, the website was hiremilitaryheroes which bears, at least at the URL level, a similarity to a legitimate website called, hiringourheroes.org. The two sites are not visually similar. In fact, if the Iranians were serious about fooling veterans, they should have cloned portions of the legitimate site. Here’s how their site looks.

heroes

In the emblem portion of the image, the user has the option of downloading a free app, which, I suppose, would help them in getting the latest job offers. They can choose from three Windows operating systems: Windows 10, Windows 8.1, or Windows 8. Choosing any of them will have more or less the same result. The Windows 10 download comes in the form of a zip file which contains a file named, win10.exe. It has escaped detection by most malware engines.

The victim who decides to download the app will expect some installation interface, and they will get the one that is pictured below. It appears to show that the installation is progressing via an installation progress bar.

app download

However, just as it seems all is going well, a message pops up.

install app

In fact, this whole charade is just to make the victim think that something went wrong and they won’t be able to use the app after all. But there was never an app and the process just hides the fact that a reconnaissance tool was installed on the victim’s device.

Once installed, the malware collects information on the device’s architecture. This is an attempt to identify a weak point that can be exploited, such as updates that have not been installed. All of this information is sent off to an Iranian command and control center. A RAT (Remote Access Trojan) is then deployed to co-opt the weaknesses unveiled. When the RAT is in place, the Iranians are in control of the device. They can watch what the victim does, steal passwords, and gain access to any contacts. All gathered information is passed on to the Iranians controlling the device. The malware comes with a kill switch in case it is detected.

My guess is that this attack and its associated malware is still in the development stage. However, I think that the idea of using veterans to gain access to parts of the Veteran Affairs network is baked in. Iranian hackers must assume that veterans are valuable endpoints and must have access to some veteran services. If they are able to get a victim’s login information, they could get payments transferred into their accounts, after all, the Iranian government is low on funds. But, for the most part, Iran government hackers are interested in information.

As of September 30th, the Office of Veterans Affairs began sharing all health information with eHealth Exchange, which is, according to the site, “the largest query-based, health information network in the country. It is the principal network that connects federal agencies and non-federal organizations, allowing them to work together to improve patient care and public health.” In short, it is a massive database of information. Veterans must accept this sharing of their personal information unless they have opted out by regular mail. It seems quite clear that if the Iranians managed to gain access to this huge database, they could do any number of nefarious things. At the very least, they could gain access to a huge number of endpoints to penetrate the Office of Veterans Affairs network, so, it is possible that hacking into this medical database is their goal.

But even if this is true, they may still want to work their way through the Veterans Affairs network to more important governmental levels. How far could they go? Here is a chart of the agencies connected to endpoints.

structre

As you can see, a well-designed attack could potentially gain access to the Inspector General and, from there, to the Department of Justice. The possibilities from that point on are endless and could involve the president or his staff. Sure, it wouldn’t be easy, but such an attack cannot be completely ruled out. Look how China worked its way through to the Office of Personnel Management which has been described as being among “the largest breaches of government data in the history of the United States.” Without a doubt, this is what the Iranians are hoping to emulate.

Eventually, Iran will succeed, if they haven’t already. All government agencies must be ready to be attacked through weak endpoints. Interested parties should make themselves aware of state-of-the-art endpoint protection and not rely on traditional methods of protection which can be bypassed.

More and more experts are now getting behind the idea that the U.S. and Iran are in an undeclared cyberwar. No one wants to predict the outcome because no one has ever seen the results of an all out cyberwar. Iran claims it has been preparing for attacks on its petroleum facilities, but my guess is that any attack by the U.S. will be far more serious than this. Keep in mind that the Stuxnet attack was a joint venture by the U.S. and Israel. Keep in mind that Israel has informants and agents working throughout key components of Iran’s infrastructure. My guess is that the most crippling attacks will come from malicious insiders. What does all this mean? When an attack on Iran finally occurs, it will be obvious because it will be extensive and devastating. The U.S. and Israel will deny any role in it, of course, but such denials are now more of a formality than anything else.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s