DUBAI: A group of hackers suspected of working in Iran for its government is targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea, a cybersecurity firm warned Wednesday.
The report by FireEye also said the suspected Iranian hackers left behind a new type of malware that could have been used to destroy the computers it infected, an echo of two other Iran-attributed cyberattacks targeting Saudi Arabia in 2012 and 2016 that destroyed systems.
Iran’s office at the United Nations did not immediately respond to a request for comment Wednesday and its state media did not report on the claims. However, suspected Iranian hackers long have operated without caring if people found it was them or if there would be consequences, making them incredibly dangerous, said Stuart Davis, a director at one of FireEye’s subsidiaries.
“Today, without any repercussions, a neighboring country can compromise and wipe out 20 institutions,” Davis said.
FireEye, which often works with governments and large corporations, refers to the group as APT33, an acronym for “advanced persistent threat.” APT33 used phishing e-mail attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from Boeing Co. or defense contractors.
The hackers remained inside of the systems of those affected for “four to six months” at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter. The coding contains Farsi-language references, the official language of Iran, FireEye said.
Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek, Davis said. The programs used in the campaign are popular with Iranian coders, servers were registered via Iranian companies and one of the spies appears to have accidentally left his online handle, “xman_1365_x,” in part of the code.
That name “shows up all over Iranian hacker forums,” FireEye’s John Hultquist said. “I don’t think they’re worried about being caught. ... They just don’t feel like they have to bother.”
The Associated Press was able to find other clues pointing to an Iranian nexus. One of the e-mail addresses used to register a malicious server belongs to an Ali Mehrabian, who used the same address to create more than 120 Iranian websites over the past six years.
Neither Mehrabian, who listed himself as living in Tehran, nor “xman” returned e-mails seeking comment.
Iran developed its cyber capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran’s contested nuclear program. Stuxnet is widely believed to be an American and Israeli creation.
Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas. The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.
A second version of Shamoon raced through Saudi government computers in late 2016, this time having the destroyed computers display a photograph of the body of 3-year-old Syrian boy Aylan Kurdi, who drowned fleeing his country’s civil war. Suspicion again fell on Iran.
FireEye’s report said it believed APT33 “is likely in search of strategic intelligence capable of benefiting a government or a military sponsor.”
High on the list of any potential suspects within Iran would be its paramilitary Revolutionary Guard. US prosecutors in March 2016 accused hackers associated to Guard-linked companies of attacking dozens of banks and a small dam near New York City. Hackers linked to the Guard also have been suspected of targeting the e-mail and social-media accounts of Obama administration officials.
___
Associated Press writer Raphael Satter in Paris contributed to this report.
Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm
Iranian hackers unleash malware against aviation, petrochem industries — cybersecurity firm
Gaza rescuers say 15 killed in Israeli strikes
- On Thursday the civil defense agency reported the deaths of at least 40 residents in Israeli strikes
Gaza City: Gaza’s civil defense agency said Friday that 15 people, including 10 from the same family, had been killed in two overnight Israeli strikes.
Civil defense spokesman Mahmud Bassal said on Telegram that “our crews recovered the bodies of 10 martyrs and a large number of wounded from the house of the Baraka family and the neighboring houses targeted by the Israeli occupation forces in the Bani Suhaila area east of Khan Yunis,” in the southern Gaza Strip.
Bassal later announced that a separate strike hit two houses in northern Gaza’s Tal Al-Zaatar, where crews had “recovered the bodies of five people.”
The Israeli military, which did not immediately comment, has intensified its aerial bombardments and expanded its ground operations in the Gaza Strip since it resumed its offensive in the besieged Palestinian territory on March 18.
On Thursday, the civil defense agency reported the deaths of at least 40 residents in Israeli strikes, most of them in camps for displaced civilians, as Israel pressed its offensive.
Israeli military intercepts missile launched from Yemen
- Iran-backed Houthi militia have regularly fired missiles and drones targeting Israel
JERUSALEM: The Israeli military said Friday it had intercepted a missile launched from Yemen, from where the Iran-backed Houthi militia have regularly fired missiles and drones targeting Israel.
“Following the sirens that sounded a short while ago in several areas in Israel, a missile launched from Yemen was intercepted,” Israel’s army said on Telegram, adding that aerial defense systems had been deployed “to intercept the threat.”
US strike on Yemen fuel port kills at least 38, Houthi media say
WASHINGTON: US strikes on a fuel port in Yemen killed at least 38 people on Thursday, Houthi-run media said, one of the deadliest days since the United States began its attacks on the Iran-backed militants.
The United States has vowed not to halt the large-scale strikes begun last month in its biggest military operation in the Middle East since President Donald Trump took office in January, unless the Houthis cease attacks on Red Sea shipping.
Al Masirah TV said 102 people were also wounded in Thursday’s strikes on the western fuel port of Ras Isa, which the US military said aimed to cut off a source of fuel for the Houthi militant group.
Responding to a Reuters query for comment on the Houthis’ casualty figure and its own estimate, the US Central Command said it had none beyond the initial announcement of the attacks.
“The objective of these strikes was to degrade the economic source of power of the Houthis, who continue to exploit and bring great pain upon their fellow countrymen,” it had said in a post on X.
Since November 2023, the Houthis have launched dozens of drone and missile attacks on vessels transiting the waterway, saying they were targeting ships linked to Israel in protest over the war in Gaza.
They halted attacks on shipping lanes during a two-month ceasefire in Gaza. Although they vowed to resume strikes after Israel renewed its assault on Gaza last month, they have not claimed any since.
In March, two days of US attacks killed more than 50 people, Houthi officials said.
Cash crunch leaves Syrians queueing for hours to collect salaries
- Syria has been struggling to emerge from the wake of nearly 14 years of civil war, and its banking sector is no exception
- The liquidity crisis has forced authorities to drastically limit cash withdrawals, leaving much of the population struggling to make ends meet
DAMASCUS: Seated on the pavement outside a bank in central Damascus, Abu Fares’s face is worn with exhaustion as he waits to collect a small portion of his pension.
“I’ve been here for four hours and I haven’t so much as touched my pension,” said the 77-year-old, who did not wish to give his full name.
“The cash dispensers are under-stocked and the queues are long,” he continued.
Since the overthrow of president Bashar Assad last December, Syria has been struggling to emerge from the wake of nearly 14 years of civil war, and its banking sector is no exception.
Decades of punishing sanctions imposed on the Assad dynasty – which the new authorities are seeking to have lifted – have left about 90 percent of Syrians under the poverty line, according to the United Nations.
The liquidity crisis has forced authorities to drastically limit cash withdrawals, leaving much of the population struggling to make ends meet.
Prior to his ousting, Assad’s key ally Russia held a monopoly on printing banknotes. The new authorities have only announced once that they have received a shipment of banknotes from Moscow since Assad’s overthrow.
In a country with about 1.25 million public sector employees, civil servants must queue at one of two state banks or affiliated ATMs to make withdrawals, capped at about 200,000 Syrian pounds, the equivalent on the black market of $20 per day.
In some cases, they have to take a day off just to wait for the cash.
“There are sick people, elderly... we can’t continue like this,” said Abu Fares.
“There is a clear lack of cash, and for that reason we deactivate the ATMs at the end of the workday,” an employee at a private bank said, preferring not to give her name.
A haphazard queue of about 300 people stretches outside the Commercial Bank of Syria. Some are sitting on the ground.
Afraa Jumaa, a civil servant, said she spends most of the money she withdraws on the travel fare to get to and from the bank.
“The conditions are difficult and we need to withdraw our salaries as quickly as possible,” said the 43-year-old.
“It’s not acceptable that we have to spend days to withdraw meagre sums.”
The local currency has plunged in value since the civil war erupted in 2011, prior to which the dollar was valued at 50 pounds.
Economist Georges Khouzam explained that foreign exchange vendors – whose work was outlawed under Assad – “deliberately reduced cash flows in Syrian pounds to provoke rapid fluctuations in the market and turn a profit.”
Muntaha Abbas, a 37-year-old civil servant, had to return three times to withdraw her entire salary of 500,000 pounds.
“There are a lot of ATMs in Damascus, but very few of them work,” she said.
After a five-hour wait, she was finally able to withdraw 200,000 pounds.
“Queues and more queues... our lives have become a series of queues,” she lamented.
Trump administration orders Gaza-linked social media vetting for visa applicants
- New order sent to all US diplomatic missions
- Social media vetting includes NGO workers
WASHINGTON: The Trump administration on Thursday ordered a social media vetting for all US visa applicants who have been to the Gaza Strip on or after January 1, 2007, an internal State Department cable seen by Reuters showed, in the latest push to tighten screening of foreign travelers.
The order to conduct a social media vetting for all immigrant and non-immigrant visas should include non-governmental organization workers as well as individuals who have been in the Palestinian enclave for any length of time in an official or diplomatic capacity, the cable said.
“If the review of social media results uncovers potential derogatory information relating to security issues, then a SAO must be submitted,” the cable said, referring to a security advisory opinion, which is an interagency investigation to determine if a visa applicant poses a national security risk to the United States.
The cable was sent to all US diplomatic and consular posts.
The move comes as President Donald Trump’s administration has revoked hundreds of visas across the country, including the status of some lawful permanent residents under a 1952 law allowing the deportation of any immigrant whose presence in the country the secretary of state deems harmful to US foreign policy.
The cable dated April 17 was signed by US Secretary of State Marco Rubio, who said in late March that he may have revoked more than 300 visas already.
The State Department did not immediately respond to a request for comment.
Trump officials have said student visa holders are subject to deportation over their support for Palestinians and criticism of Israel’s conduct in the war in Gaza, calling their actions a threat to US foreign policy interests.
Trump’s critics have called the effort an attack on free speech rights under the First Amendment of the US Constitution.
The US Constitution guarantees freedom of speech for everyone in the US, regardless of immigration status. But there have been high-profile instances of the administration revoking visas of students who advocated against Israel’s war in Gaza.
Among the most widely publicized of such arrests was one captured on video last month of masked agents taking a Tufts University student from Turkiye, Rumeysa Ozturk, into custody.
When asked about Ozturk at a news conference last month, Rubio said: “Every time I find one of these lunatics, I take away their visas” and he warned there would be more individuals whose visas could be revoked.
