FBI – Iranian Cyber Actors Targeting Defense Contractors, Schools and Energy Sector

The following document was obtained from the website of the Marshfield, Wisconsin Chamber of Commerce.

FBI-IranianHacking

FBI Liaison Alert System #M-000045-TT

  • 10 pages
  • TLP: GREEN
  • December 5, 2014

Download

The FBI is providing the following information with HIGH confidence:

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.

According to public network registration information, IP addresses previously utilized by this group were assigned to “Tarh Andishan.” The group primarily utilized two Iran-based IP addresses to conduct its activity, 78.109.194.114 and 217.11.17.99. There has been no recent activity from these IP addresses since early 2014; however, the group now primarily utilizes a series of proxy or midpoint infrastructure in support of their computer network operations. The most recent midpoint infrastructure used by this group was located in the United Kingdom and the Netherlands.

Tools: The following tools have been known to be utilized by the cyber actors.
1021114.aspx
4g.exe
akisapi.php
ASPACK
Atkill.txt
Bitvise
c99shell.php
Cafae
Cain and Abel
CCProxy
CCproxy.zip
cmd.aspx
Cprivesc
debug.aspx
DefaultWS.asmx
Dirbuster
FileZilla
Find_tokens.exe
Find_tokens.txt
Gsecdump
Havij
hscan.zip
hscan1.2
img.asp
img.aspx
In2.txt
isapi.aspx
J.exe
Jasus.exe size: 118,272 MD5: 53841511791E4CAC6F0768A9EB5DEF8A Type: ARP POISON TOOL
Jasus.pdb
Kappfree
kappfree.dll
Kelloworld
kelloworld.dll
Klock
klock.dll
Lc.exe
lc15.exe
Libeay32.doc
Libeay32.txt
Loader.exe
LoggerModule.e
mim2.2.exe
Mimikatz
mimikatz.exe
mimikatz.swf
Mx.exe
NBrute Force
NC.exe
ncat.exe
Ncrack
Nc-themida.exe
Netcat
Netscp.exe
netscp_total.exe
Netview
Nmap
NTFS
OS_Detector.exe
ospcsvc.exe
osppsvc.exe
OSQL
ossisvc.exe
ossysvc.exe
Plink
plink.exe
priorities_readfile.aspx
Privesc.exe size: 51,200 MD5: DABF638EB53070CDC7B10BFA5E4E8142
ProcDump
proxy.php
PsExec
PsExec.exe
PsKill
PsList
Putty Link
putty.exe
pw.exe
PwDump
PwDump7.exe
PwDump7_p.exe
rdcmd.aspx
RunAs.exe
Samdump
sekurlsa.dll
Sl.exe
snmpwalk.exe
SQL Manager
STR.EXE
Themida
u.exe
U.exe size: 60,928 MD5: DDA3E5629A0E8FB63A3E19027AE45458
upload.aspx
Wcet
winBypass.php
WinDump
WinDump.exe
winpcap-nmap-4.12.exe
winusr.dll
wminotify.dll
wndTest.exe
wt.exe
xcmd-aspack.exe
xCmdSvc.exe
Xcmdt.exe
xcmd-themida.exe
xp_cmdshell
ZXPortMap.exe

IP Addresses: The following IP addresses have been observed to be utilized by the cyber actors.
64.120.208.154
78.109.194.114
159.253.144.209
217.11.17.99
95.211.191.225
95.211.241.249
95.211.241.251
108.175.153.158
88.150.214.162
88.150.214.166
88.150.214.168
88.150.214.170
184.82.158.18

Identify creation of users and databases named “haha”.

Iran News, Iran Hostage Crisis, Iran Contra Affair, Iran Flag, Iran Iraq War, Iran Castillo, Iran Nuclear Deal, Iran Map, Iran Sanctions, Iran President, Iran Air, Iran Allies, Iran Air Flight 655, Iran And Iraq, Iran Air Force, Iran Army, Iran And Russia, Iran Ayatollah, Iran And Israel, Iran And North Korea, Iran Barkley, Iran Before 1979, Iran Brown, Iran Birth Rate, Iran Bennett, Iran Boeing, Iran Beaches, Iran Beliefs, Iran Bonyads, Iran Brain Drain, Iran Contra Affair, Iran Castillo, Iran Capital, Iran Contra Affair Apush, Iran Currency, Iran Culture, Iran Contra Hearings, Iran Continent, Iran Cities, Iran Contra Affair Summary, Iran Deal, Iran Definition, Iran Deal Obama, Iran Demographics, Iran Dictator, Iran Death Penalty, Iran Democracy, Iran During The Cold War, Iran Desert, Iran Drone, Iran Election, Iran Economy, Iran Eory, Iran Embassy, Iran Etf, Iran Ethnic Groups, Iran Exports, Iran Embassy Usa, Iran Eisenhower, Iran Execution, Iran Flag, Iran Facts, Iran Food, Iran Flag Emoji, Iran Football, Iran Fighter Jet, Iranefarda, Iran Foreign Policy, Iran Foreign Minister, Iran Flag Meaning, Iran Government, Iran Gdp, Iran Gdp Per Capita, Iran Geography, Iran Government Type, Iran Green Revolution, Iran Guardian Council, Iran Gdp 2016, Iran Gay, Iran Gross Domestic Product, Iran Hostage Crisis, Iran Hostage Crisis Apush, Iran History, Iran Hostage Crisis President, Iran Hostage Crisis Definition, Iran Hostage Movie, Iran Hostage Crisis Timeline, Iran Human Rights, Iran Hostage Crisis Video, Iran Holidays, Iran Iraq War, Iran In The 70s, Iran Israel, Iran Isis, Iran In Syria, Iran Iraq Map, Iran Iraq War Causes, Iran India, Iran Iraq War Timeline, Iran Is Shia, Iran Jokes, Iran Jcpoa, Iran Judicial Branch, Iran Jewish Population, Iran Jet, Iran Jobs, Iran Jet Fighter, Iran Jersey, Iran Jewelry, Iran Japan, Iran Khodro, Iran King, Iran Kedisi, Iran Khamenei, Iran Kurds, Iran Khomeini, Iran Korea, Iran Kuwait, Iran Kidney Market, Imran Khan, Iran Launches Satellite, Iran Language, Iran Leader, Iran Live Tv, Iran Location, Iran Local Time, Iran Literacy Rate, Iran Life Expectancy, Iran Landscape, Iran Leadership, Iran Map, Iran Military, Iran Missile Test, Iran Missile, Iran Money, Iran Music, Iran Military Strength, Iran Military News, Iran Mountains, Iron Man, Iran News, Iran Nuclear Deal, Iran Nuclear Weapons, Iran Nuclear, Iran News Today, Iran Navy, Iran National Football Team, Iran North Korea, Iran Natural Resources, Iran Newspaper, Iran On Map, Iran Oil, Iran Oil Production, Iran Official Language, Iran On World Map, Iran Opec, Iran Official Name, Iran Obama Deal, Iran Outline, Iran Oil Exports, Iran President, Iran Population, Iran People, Iranproud, Iran Pronunciation, Iran Presidential Election, Iran Prime Minister, Iran Persia, Iran Pictures, Iran Politics, Iran Qatar, Iran Qatar Relations, Iran Quizlet, Iran Quds Force, Iran Queen, Iran Quotes, Iran Qom, Iran Quora, Iran Qatar Pipeline, Iran Qaher 313, Iran Religion, Iran Revolution, Iran Russia, Iran Rial To Usd, Iran Rial, Iran Resources, Iran Race, Iran Restaurant, Iran Refugees, Iran Ruler, Iran Sanctions, Iran Satellite, Iran Supreme Leader, Iran Sunni Or Shia, Iran Syria, Iran So Far, Iran Shah, Iran Saudi Arabia, Iran Shia, Iran Soccer, Iran Time, Iran Tehran, Iran Today, Iran Tv, Iran Trump, Iran Tourism, Iran Timeline, Iran Type Of Government, Iran Travel, Iran Travel Ban, Iran Uk, Iran Us Relations, Iran Under The Shah, Iran Unemployment Rate, Iran Us News, Iran University Of Science And Technology, Iran Us Embassy, Iran Uzbekistan, Iran Us Nuclear Deal, Iran Us Dollar, Iran Vs Iraq, Iran Vs Usa, Iran Volleyball, Iran Visa, Iran Vs Israel, Iran Vs Saudi Arabia, Iran Vice President, Iran Vs Isis, Iran Volleyball Team, Iran Vote, Iran War, Iran Women, Iran Wiki, Iran Weather, Iran World Map, Iran Ww2, Iran World Cup, Iran Wrestling, Iran Wikitravel, Iran White Revolution, Iran Contra Affair, Iran Castillo, Iran Capital, Iran Contra Affair Apush, Iran X, Iran Currency, Iran Culture, Iran Contra Hearings, Iran Continent, Iran Cities, Iran Yemen, Iran Youtube, Iran Youth, Iran Year, Iran Yellow Pages, Iran Yazd, Iran Year Converter, Iran Young Population, Iran Youth Population, Iran Yahoo News, Iran Zip Code, Iran Zoroastrian, Iran Zamin, Iran Zabol, Iran Zarif, Iran Zagros Mountains, Iran Zamin Bank, Iran Zoo, Iran Zumba, Iran Zamin Tv,

Advertisements