Iranian hackers infiltrated major VPN and remote systems for years

Firms in the IT and telecoms industry among those targeted by a reconnaissance and information theft campaign

Iranian cyber criminals successfully gained access into the infrastructures of dozens of firms, and have been accused of a string of prominent cyber attacks including those against Citrix and Palo Alto Networks.

The campaign, dubbed ‘Fox Kitten’, has thus far targeted major companies in order to gain long-lasting control and access to their networks for reconnaissance purposes, and occasionally as a springboard to launch devastating malware attacks.

The campaign, which has been running for at least the last three years, has been orchestrated against companies from the IT, telecoms, old and gas, aviation, government and security sectors globally. 

As outlined in a report from cyber security company ClearSky, several known groups and their cyber activities can be tied with shared common infrastructure, and attributed with medium or high probability to the activity of hacker groups such as APT34-OilRig, APT33-Elfin and APT39-Chafer that are considered to have ties to Iran.

The ClearSky researchers have also determined that there’s a medium probability that APT33 and APT34 have been working together since 2017 via this shared infrastructure.

The key offensive tool harnessed through this campaign comprised exploiting one-day vulnerabilities (zero-day vulnerabilities that have been made public) in different virtual private networks (VPNs) and remote hardware services. These included services provided by Pulse Secure, Fortinet and Palo Alto Networks. 

Some of these vulnerabilities, and their subsequent exploitation, gained notoriety. The National Cyber Security Centre (NCSC) and National Security Agency (NSA), for example, warned against hackers exploiting flaws in VPNs deployed by all three firms in October 2019.

Although the groups’ actions span a number of years, the hackers have already conducted significant activity in 2020 having exploited fresh vulnerabilities in remote systems deployed by Citrix

“We attribute the 'Fox Kitten' campaign, with medium-high confidence, to the APT34 group, and with medium confidence to the APT33 and APT39 groups,” the report said. “And we assess that there is a cooperation between the groups in infrastructure and possibly beyond that.

“We assess this campaign’s main goal to be intelligence collection on the targets and creating a supply-chain attack. In our analysis, we have not identified distribution of destructive malware in the attacked organizations.”

Related Resource

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

Once the hackers gained a foothold into the organisation’s network, they maintained access by deploying a range of communication tools, including opening remote desktop protocol (RDP) links. The purpose of this was to camouflage and encrypt communication with their respective targets.

Finally, having infiltrated and maintained access within the organisation, the attackers performed identification, examination and the filtering of sensitive or valuable information from their victims. This was sent back to the attackers for reconnaissance, espionage, or further infection of the infiltrated and associated networks.

From a target company's perspective, the picture is highly bleak, with a long time needed to actually identify an attacker on a compromised network. According to the report, this varies from several months to not at all. Monitoring capabilities, meanwhile, for organisations to identify and block an attacker that entered through remote communication tools ranges from difficult to impossible.

The researchers claimed that, as a result of their findings, those VPN systems that allow for remote access to corporate networks pose a significant risk, because they essentially bypass all defences deployed on the internet.

It’s critical for an organisation to assess its outward-facing systems, including different VPN services, as well as constantly monitoring these systems to ensure they’re continuously updated. Deploying such tools, like VPNs, should also be kept to the bare minimum.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now


What is cyber warfare?

What is cyber warfare?

22 Sep 2020

Most Popular

Mysterious Silver Sparrow malware hits 30,000 macOS devices

Mysterious Silver Sparrow malware hits 30,000 macOS devices

22 Feb 2021
IBM reportedly mulls sale of Watson Health business
mergers and acquisitions

IBM reportedly mulls sale of Watson Health business

22 Feb 2021
Hackers publish Bombardier data in wide-reaching FTA cyber attack
cyber attacks

Hackers publish Bombardier data in wide-reaching FTA cyber attack

24 Feb 2021