FBI – Iranian Cyber Actors Targeting Defense Contractors, Schools and Energy Sector

The following document was obtained from the website of the Marshfield, Wisconsin Chamber of Commerce.

FBI-IranianHacking

FBI Liaison Alert System #M-000045-TT

  • 10 pages
  • TLP: GREEN
  • December 5, 2014

Download

The FBI is providing the following information with HIGH confidence:

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.

According to public network registration information, IP addresses previously utilized by this group were assigned to “Tarh Andishan.” The group primarily utilized two Iran-based IP addresses to conduct its activity, 78.109.194.114 and 217.11.17.99. There has been no recent activity from these IP addresses since early 2014; however, the group now primarily utilizes a series of proxy or midpoint infrastructure in support of their computer network operations. The most recent midpoint infrastructure used by this group was located in the United Kingdom and the Netherlands.

Tools: The following tools have been known to be utilized by the cyber actors.
1021114.aspx
4g.exe
akisapi.php
ASPACK
Atkill.txt
Bitvise
c99shell.php
Cafae
Cain and Abel
CCProxy
CCproxy.zip
cmd.aspx
Cprivesc
debug.aspx
DefaultWS.asmx
Dirbuster
FileZilla
Find_tokens.exe
Find_tokens.txt
Gsecdump
Havij
hscan.zip
hscan1.2
img.asp
img.aspx
In2.txt
isapi.aspx
J.exe
Jasus.exe size: 118,272 MD5: 53841511791E4CAC6F0768A9EB5DEF8A Type: ARP POISON TOOL
Jasus.pdb
Kappfree
kappfree.dll
Kelloworld
kelloworld.dll
Klock
klock.dll
Lc.exe
lc15.exe
Libeay32.doc
Libeay32.txt
Loader.exe
LoggerModule.e
mim2.2.exe
Mimikatz
mimikatz.exe
mimikatz.swf
Mx.exe
NBrute Force
NC.exe
ncat.exe
Ncrack
Nc-themida.exe
Netcat
Netscp.exe
netscp_total.exe
Netview
Nmap
NTFS
OS_Detector.exe
ospcsvc.exe
osppsvc.exe
OSQL
ossisvc.exe
ossysvc.exe
Plink
plink.exe
priorities_readfile.aspx
Privesc.exe size: 51,200 MD5: DABF638EB53070CDC7B10BFA5E4E8142
ProcDump
proxy.php
PsExec
PsExec.exe
PsKill
PsList
Putty Link
putty.exe
pw.exe
PwDump
PwDump7.exe
PwDump7_p.exe
rdcmd.aspx
RunAs.exe
Samdump
sekurlsa.dll
Sl.exe
snmpwalk.exe
SQL Manager
STR.EXE
Themida
u.exe
U.exe size: 60,928 MD5: DDA3E5629A0E8FB63A3E19027AE45458
upload.aspx
Wcet
winBypass.php
WinDump
WinDump.exe
winpcap-nmap-4.12.exe
winusr.dll
wminotify.dll
wndTest.exe
wt.exe
xcmd-aspack.exe
xCmdSvc.exe
Xcmdt.exe
xcmd-themida.exe
xp_cmdshell
ZXPortMap.exe

IP Addresses: The following IP addresses have been observed to be utilized by the cyber actors.
64.120.208.154
78.109.194.114
159.253.144.209
217.11.17.99
95.211.191.225
95.211.241.249
95.211.241.251
108.175.153.158
88.150.214.162
88.150.214.166
88.150.214.168
88.150.214.170
184.82.158.18

Identify creation of users and databases named “haha”.