(Bloomberg) — A newly discovered hacking group with alleged ties to the Iranian government has waged a yearslong campaign to steal information from aerospace and telecommunications companies in the Middle East, the U.S., Europe and Russia, according to cybersecurity researchers.
The hacking group, dubbed MalKamak by the researchers, disguised its activities by using the U.S.-based file storage service Dropbox Inc. as the “command and control” server from which it orchestrated hacking operations, according to a report published by Cybereason Inc. on Wednesday. The use of Dropbox helped conceal the hackers’ activity, making it look like the network traffic from compromised computers was associated with legitimate uploads and downloads from the Dropbox website, Cybereason found.
While the group has carried out a targeted spying operation since 2018, Cybereason said it only recently discovered it after identifying the group’s involvement in a hack on a Middle Eastern company.
A representative for Dropbox said it had disabled an account identified by Cybereason as belonging to the hackers. A representative for the Iranian government didn’t respond to requests for comment.
Lior Div, the chief executive officer of Cambridge, Massachusetts-based Cybereason, said in an interview that MalKamak was “highly sophisticated” and had been observed seeking out specific data from compromised aerospace and telecommunication companies, which he says indicates the hackers were directed by the Iranian government.
“It’s pure espionage,” Div said. “They are focused on stealing information about equipment that is used by different three-letter agencies around the world. They target companies that build technology for defense and offense.”
Cybereason’s researchers said they had confirmed the hackers had compromised at least 10 companies and estimated that dozens of others have been affected. The firm declined to provide names of companies that were compromised.
MalKamak has possible links to other Iranian state-sponsored hacking groups, including one known as Chafer, but operated using its own distinct tools and techniques, Cybereason found. The group placed a kind of spyware — known as a remote-access Trojan — on computers that it penetrated, which it used to gather information. The group successfully stole a large amount of data from its victims, according to Assad Dahan, Cybereason’s head of threat research.
The hackers were able to go undetected for several years as they were selective in the companies they targeted and skilled at masking their activity so that they weren’t flagged by security analysts and antivirus software. Cybereason named MalKamak’s hacking campaign “Operation Ghostshell,” in a nod to its stealth. Discovering the group was “a real shocker,” said Dahan, because it had carried out several major breaches worldwide and yet “nobody heard about them or the tools they used.”
More stories like this are available on bloomberg.com
©2021 Bloomberg L.P.
