The trial of a cybersecurity engineer in New Jersey on hacking charges unveiled new details on a huge cyberespionage campaign that stretched from Iran into the United States and could reach far beyond the hacked organizations themselves.
The targets included more than 120 high-profile organizations, including the U.S. Army, Environmental Protection Agency, Federal Aviation Administration, and the Department of Agriculture. But researchers said that the criminal group, calling itself Pawn Storm, showed an expansion that could still be seen across America and its allies.
The case against Iraj Masjedi, an Iranian national, was just one piece of what researchers say is a massive and widespread cyber attack that exploited vulnerabilities in Microsoft software.
While the networks of most victims were fairly successfully kept secure through a system of mitigations, even weak-tier web-hosting providers were easy targets, resulting in tens of millions of compromised Web servers around the world. Analysts are still trying to figure out just how many servers were used to launch the attack.
“They penetrated a lot of organizations in the United States because once they have an Internet server, everything is easy,” said Rand Eich, a security researcher at the cybersecurity firm, Recorded Future. “But the encryption, attack practices, were just really weak so they took them all down.”
At least one program was built to break into the servers in the first place. An infrared system tied to the keyboard – and used to summon messages and help desk staff – offered the hackers code for a program that would crash the server and end any conversation, giving them the ability to remotely exploit the networks with minimal effort. The FBI took it one step further when the hacking ring moved into factory settings in order to avoid detection, said David DeWalt, Recorded Future’s chief executive officer.
“This was a massive offensive campaign that took years, and they knew they had to hit a lot of people to keep going,” Mr. DeWalt said.
Investigators have been able to identify at least one person, Ahmad Saeed Aalimeh, as an alleged co-leader of the group, but its true size remains difficult to ascertain, said Daniel McAdams, the deputy assistant director of the FBI’s cyber division. Pawn Storm members used the aliases Sefaad Mousshad, Seyyed Nasser Malahat, and Aslam Haider Ashraf.
The FBI have been working with organizations from across the U.S. for years in an attempt to prevent any further cyber-attacks. But given the depth of the damage done, some worry that the virus will be difficult to stamp out.
“No matter how deep the underpinnings of the defensive measures are, if there’s a site-overloading technique, it’s hard to figure out,” said Shawn Henry, the former head of the FBI’s cyber division. “So given how bad the attack was, it’s no wonder they have no idea how many servers they’ve impacted.”
More troubling is the possibility that the hackers were able to rebuild the ransomware the same way they attacked in 2015. While Microsoft patched for the flaw in April 2015, it did not apply to the company’s network infrastructure or domains. That meant that anyone who successfully infected a computer could launch another attack against the same computers the original hacking operation targeted.
Ransomware was also the method of attack used by the attack. In 2015, Pawn Storm users can recall being able to press a button and see the main database of sites that had been compromised. This time, by contrast, McAdams said attackers will likely deploy a modicum of self-preservation: “If the [victims] are visiting websites that aren’t paying it’s a good bet they’re telling the heck out of themselves so they don’t end up paying,” he said.
Last year, Government information technology officials expressed concerns about the continued vulnerability of web infrastructure in an urgent alert sent to Cabinet secretaries, regulators, and other stakeholders. Researchers had noticed instances of targeted attacks and one of the predominant techniques being deployed was ransomware that used an encrypted database file, which once accessed was treated as deleted by the system. The ransomware made its way into the recordkeeping system with only one entry – and never functioned as intended.
“All of the major organizations including the U.S. government depend on this infrastructure,” the alert said. “Continued exploitation of this issue and the associated weakness in this infrastructure is a threat to the operations of critical infrastructure.”