 |
| Iranian Government Faces Another Wave of Cyberattacks from Blackdoordiplomacy Group |
The threat, known as BackdoorDiplomacy, is linked to a new wave of attacks against Iranian government entities between July and December 2022. Palo Alto Networks Unit 42, which monitors the activity under its constellation-themed moniker Playful Taurus, said it had identified. government domains trying to connect to malware infrastructure previously identified as associated with the enemy.
The Chinese APT group, also known as APT15, KeChang, NICKEL and Vixen Panda, has been conducting cyber espionage campaigns against governments and diplomatic entities in North America, South America, Africa and the Middle East since at least 2010.
In June 2021, the Slovak cyber security company ESET eliminated intrusion by a code group against diplomatic units and telecommunications companies in Africa and the Middle East using an implant called Turian.
Microsoft then announced in December 2021 that it had seized 2 domains operated by the group in attacks against 29 countries, noting that it used attacks against unpatched systems to compromise Internet web applications such as Microsoft Exchange and SharePoint.
An attacker is believed to have recently carried out an attack against an unnamed telecommunications company in the Middle East using Quarian, a precursor to Turian that allows remote access to targeted networks.
Turian "is still in active development and we estimate that it will only be used by Game Taurus actors," Unit 42 said in a report shared with Hacker News, adding that new variants of a backdoor used in Iranian separatist attacks have been found.
The cybersecurity firm also noted that it had discovered four different Iranian organizations, including the Ministry of Foreign Affairs and the Natural Resources Organization, had contacted the group's classified known command and control (C2) server.
"The ongoing, daily nature of these connections to Playful Taurus' controlled infrastructure suggests a likely compromise of these networks," he said. New versions of the Turian backdoor include additional obfuscation and an updated decryption algorithm used to crack C2 servers. However, the malware itself is generic as it provides basic functions to update the C2 server to connect, execute commands and create reverse shells.
Diplomatic interest in targeting Iran is said to have a geopolitical reach, as it comes on the back of a 25-year-old comprehensive comprehensive cooperation agreement between China and Iran aimed at promoting economic, military and security cooperation.
"Playful Taurus continues to develop their tactics and tools," Unit 42 scientists said. "Recent updates on Turian backdoors and new C2 infrastructure suggest that these actors continue to see success in their cyber espionage campagns."
ليست هناك تعليقات:
إرسال تعليق