By Eric Auchard
FRANKFURT (Reuters) - Hackers probably linked to Iran's government have hit Saudi and Western aerospace and petrochemical firms, marking a rise in Iranian cyber-spying prowess, security firm FireEye <FEYE.O> said on Wednesday, an assessment shared by other U.S. experts.
A FireEye report on Wednesday dubbed the hacker group APT33 and offered evidence of its activities since 2013 in seeking to steal aviation and military secrets, while also gearing up for attacks that might cripple entire computer networks.
In a separate but related move last week, the U.S. Treasury Department added two Iran-based hacking networks and eight individuals to a U.S. sanctions list, accusing them of taking part in cyber-enabled attacks on the U.S. financial system.
Iran's Islamic Revolutionary Guard Corps, elements of which were also added to the U.S. sanctions list, was not immediately available for comment when contacted by phone by Reuters on Wednesday, the end of the country's working week.
FireEye identified APT33 after it was called in to investigate cyber attacks on a U.S. aviation organisation, a Saudi business conglomerate with aviation holdings and a South Korean group with interests in oil refining and petrochemicals. FireEye declined to name the companies.
"Iranian fingerprints are all over this campaign, and government fingerprints in particular," John Hultquist, FireEye's director of cyber espionage analysis, told Reuters. "Right now we are seeing a lot of activity that seems to be classic cyber espionage."
APT33 was the first state-backed group from Iran to join a list FireEye has compiled over more than a decade that identifies campaigns by Chinese, Russian and North Korean cyber spies. APT stands for "Advanced Persistent Threat".
Hultquist said APT33 shared some tools with, but appeared to be distinct from, around 15 different hacking groups with Iranian ties that security researchers have identified in recent years, carrying names like "Shamoon", "RocketKitten" and "Charming Kitten".
The Kitten nomenclature reflected the low level of respect for Iran's hacking capabilities in the past, experts have noted.
Several cyber experts described rising maturity and professionalism in Iran's cyber-espionage capabilities.
"In recent years, Iran has invested heavily in building out their computer network attack and exploit capabilities," said Frank Cilluffo, director of George Washington University's Center for Cyber and Homeland Security.
Cilluffo, a former homeland security advisor to President George W. Bush, estimated last year in testimony before the U.S. Congress that Iran's cyber budget had jumped twelve-fold under President Rouhani, making it a "top five world cyber-power".
"They are also integrating cyber operations into their military strategy and doctrine," he told Reuters on Wednesday.
FireEye said attacks against the Saudi and South Korean groups hit as recently as May and used phishing techniques that involved posting fake job vacancies for Saudi oil jobs to lure corporate victims (https://goo.gl/mc1BLY).
Speaking to reporters in Singapore, FireEye Chief Executive Kevin Mandia said Iranian cyber espionage had grown in sophistication since he first spotted Iranians conducting rudimentary attacks on the U.S. State Department in 2008.
"They're good. (They've) got a real capability there," Mandia said of Iran. In the investigations of attacks on Western companies and governments that FireEye is hired to do, Iran now ranks with China and Russia in terms of frequency, he said.
Iran has been scaling up its cyber capacities since the United States and Israel carried out a cyber assault on Iran in 2010, now known as the "Stuxnet" worm, aimed at disabling centrifuges in its nuclear programme, he said.
FireEye's evidence linking Iran to the aviation attacks included the use of the Farsi language in malware that mounted attacks and the fact that hackers observed the Islamic Republic's work week - taking Thursdays off, among other evidence.
FireEye found some ties between APT33 and the Nasr Institute - which other experts have connected to the Iranian Cyber Army, an offshoot of the Revolutionary Guards - but it has yet to find any links to a specific government agency, Hultquist said.
He said APT33 had built a destructive attack capacity into the malware used to infect Western companies, but there was no evidence so far it had been activated. However, FireEye believes it is only a matter of time before the group graduates from intelligence gathering to causing lasting damage.
Adam Meyer, vice president of CrowdStrike, another top U.S. cyber security firm, said there has been a vast uptick in attacks by Iran against Saudi Arabia since last year.
Five years ago, Iran was blamed for a virus attack against oil giant Saudi Aramco and Qatari RasGas, which crippled 30,000 computers at the two organisations. But Meyer said, in hindsight, the "Shamoon" attack was a narrow, unsustained operation.
Broader-based attacks against Saudi Arabia since 2016 use similar malware, with some changes, demonstrating Iran's ability to mount on-going campaigns, he said.
"This second campaign is being carried out in a sustained way in 2016 and 2017 against the Saudi government, related entities and the telecom sector: They are doing it in a way that seeks to destabilise the Saudi regime," Meyers said.
(Additional reporting by Jeremy Wagstaff in Singapore and Bozorgmehr Sharafedin in London; editing by Mark Heinrich, Larry King)