Iranian Hackers Backdoor Entry Through VPN Servers of Giant Organizations

Iran Cobalt Dickens Hacking Group

After the 2010 Stuxnet worm attack on the Natanz Nuclear plant, Iran has started taking ‘Cyber’ seriously. Towards proving their technical advancement in recent years, Iranian hacking group recently attacked various sectors of the United States, which included IT, Telecommunication, Oil and Gas, Aviation, Government and Security sectors. According to the Report by Clearsky, “Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”APT stands for advanced persistent threat and is a term often used to define nation-state hacking units.

Understanding the attack

As scrutinized from the occurrence, the attacking group divided their attack into 2 stages. In the first stage of their attack, VPNs were targeted and the second stage included a complete collection of tools and techniques. The purpose of these attacks appears to perform reconnaissance and plant backdoors for surveillance operations.

The initial breach of the targeted organizations was performed, in most cases by exploiting 1-day vulnerabilities in different VPN services. After gaining a good grip on the target, the attackers tried to maintain access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling Iranian APT groups focused on IT companies that provide a wide range of services of thousands of companies. By breaking the security of Big IT companies, Iranian APT tries to get access to other companies easily. According to the clearsky report, “The campaign infrastructure was used to:

  • Develop and maintain access routes to the targeted organizations
  • Steal valuable information from the targeted organizations
  • Maintain a long-lasting foothold at the targeted organizations
  • Breach additional companies through supply-chain attacks”

Since the attack was performed from Open source tools, when hackers didn’t find open source tools or local utilities to help in their attacks, they had the knowledge to develop custom malware. Clearsky Report says it found tools like:

  • STSRCheck – Self-developed databases and open ports mapping tool.
  • POW SSHNET – Self-developed backdoor malware for RDP-over-SSH tunneling.
  • Custom VBScripts – Scripts to download TXT files from the command-and-control (C2or C&C) server and unify these files into a portable executable file.
  • Socket-based backdoor over cs.exe – An EXE file used to open a socket-based connection to a hardcoded IP address.
  • Port.exe – Tool to scan predefined ports for an IP address.

How can Organizations get safeguard from such attacks?

It is foremost for organizations to check outward facing systems, including different VPN systems. There is a need for constant monitoring, making sure that the systems are constantly updated, and preventing unneeded exposure of the administration interfaces to the outside world.

Permissions should be a prime concern to Networks. Users’ permissions and active users on each station should be monitored constantly. The attackers have created, multiple times, local users that allowed them to act freely. Hence, safeguarding local users is also a prime concern now.


Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents.