Skip to main content

Iran Says It Was Hit With 'Very Big' Cyberattack




Iran’s government has acknowledged that it faced a “very big” cyberattack, following a report in The New York Times this week that information from 15 million Iranian bank accounts was stolen and published online after widespread street protests were crushed in November.
Iran’s telecommunication minister, Mohammad Javad Azari Jahromi — who had previously dismissed the bank-account theft as an insider extortion plot — said the attack had been state sponsored, but he offered no evidence to back up the claim. He said details and the country deemed responsible would be revealed after investigations had been completed.
Mr. Azari Jahromi said Iran’s cybersecurity unit hadthwarted the attack, making no direct mention of the compromised bank accounts.
“We faced a very well-coordinated state-sponsored cyberattack on the government’s digital infrastructure,” Mr. Azari Jahromi told reporters in Tehran on Wednesday. “It was a very big attack.”
He made the announcement the same day that Telegram, the popular phone app widely used in Iran, shut down the channel where the bank account details had been revealed for all to see.
The Telegram channel was created on Nov. 27 and until Dec. 5 had been home to the uploaded names and details for debit cards tied to the accounts of millions of Iranians who are clients of three banks — Mellat, Tejarat and Sarmayeh.
All three were the target of United States sanctions a year earlier over what American officials described as prohibited financial transfers done on behalf of Iran’s Islamic Revolutionary Guards Corps.
“We routinely close down channels which publish personal data like passport scans or credit card numbers,” said Markus Ra, spokesman for Telegram. This channel was closed, he said, when a user reported it to the company after the publication of The Times article.
A week earlier, Mr. Azari Jahromi had characterized the breaching of the bank accounts as the act of a disgruntled former contractor he said had obtained access to the information and was using it for extortion. As of Thursday, the banks had not issued a public statement about the breached accounts.
But it appeared the problem continued even after the channel was erased from Telegram.
Some Iranians posted screenshots of emails they had received from accounts with addresses identical to the customer service departments at two of the banks. The emails showed the account holders’ personal identification details and warned them: “We are in control of your bank information and your bank is lying to you.”
The emails advised these customers to take immediate action but did not specify what it should be. One Iranian said on Twitter that some of these emails contained an attachment file with the numbers of millions of leaked accounts.
An Iranian cybersecurity expert based in New York, Amir Rashidi, said he had traced the emails to a server in Germany.
Cybersecurity experts said that a breach of this magnitude could have been the work of a state actor, although there have been sophisticated attacks on Western banking systems that turned out to be organized by criminal groups.
They also said there was always the possibility that the attack had been the work of an insider.
Iranian media said the attack was the largest banking security breach in Iran’s history.
While there is constant cyberconflict between the United States and Iran, American financial institutions and the Federal Reserve have long been leery of offensive actions by the United States government against other country’s financial systems. They fear that might legitimize reprisals against American accounts.
For Iran, the breach is the latest in a wave of challenges.
In the past month, Iran announced it was facing a significant budget deficit because of American economic sanctions, it crushed nationwide demonstrations with a deadly response that has been widely criticized, and it contended with growing regional resentment. That is especially the case in Iraq, where Iran has exerted significant influence.
Experts aid that the bank breach, at the very least, could create a crisis of public trust with the country’s financial institutions.
Boaz Dolev, chief executive of ClearSky, a cybersecurity company that was among the first outside Iran to spot the banking breach, said he believed the affected banks had deliberately kept quiet. Mr. Dolev speculated that the banks did not cancel the accounts “because they do not want to panic the public or they will find it very difficult to issue new cards.”
In Israel, which like the United States has engaged in cyberconflict with Iran, news about the Iranian banking breach raised suspicions that Iran might blame Israel and take revenge. An Israeli banking official said two of the country’s biggest banks on Wednesday raised their cyberattack warnings to “top alert.”
A Middle Eastern intelligence official who tracks Iran and opposes its foreign policy said that over the past week, top Iranian intelligence agencies, including the large cyberunit inside Iran’s Ministry of Intelligence, had been trying to track down the source of the banking breach and those behind the creation of the now-erased Telegram channel.
The official, who spoke on the condition of anonymity to discuss intelligence matters, said the security authorities in Iran were taking a serious stance on the breach and believe it had increased the potential for a renewed flare-up of antigovernment demonstrations, given the “damage to many citizens and the regime’s failure to prevent such information leaks.”
David E. Sanger contributed reporting.

Originally published at https://www.nytimes.com on December 13, 2019.

Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...