The Israeli cybersecurity firm Cybereason (headquarters in Boston, with offices in Tel Aviv, London, and Tokyo) on Wednesday issued a report saying a newly discovered cyber-espionage operation targeting aerospace and telecommunication companies around the world has been sponsored by the Islamic Republic of Iran since at least 2018 (Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms).
Iran’s Operation GhostShell is a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the US, Russia, and Europe, according to Cybereason, whose team uncovered a previously undocumented and stealthy Remote Access Trojan (RAT) dubbed ShellClient which was employed as the primary espionage tool.
Cybereason’s assessments of the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that remained publicly unknown despite having been launched at least as early as 2018.
According to Cybereason, this threat has been mainly active in the Middle East but has also been targeting organizations in the US, Russia, and Europe, focusing on the Aerospace and Telecommunications industries. Another Iranian threat actor Cybereason examined is a relatively new group known as Agrius APT, which has been attacking mainly Israeli organizations and companies, carrying out destructive operations under the guise of ransomware attacks.
Cybereason focused on Iranian actors since most of the victims were located in the Middle East, and considering the industries that have been under attack as well as the characteristics of the intrusion and the malware, it was highly probable that an Iranian state-sponsored threat actor is behind Operation GhostShell. The team compared its latest observations with previous campaigns that had been attributed to Iranian threat actors and was able to show similarities between ShellClient and previously reported Iranian malware and threat actors.
“However, at this point, our estimation is that this operation was carried out by a separate activity group, dubbed MalKamak, which has its own distinct characteristics that distinguish it from the other groups,” Cybereason reported, adding, “Nonetheless, we believe that highlighting the possible connections between various Iranian threat actors could be beneficial. Whether such connection is a result of a direct collaboration among these threat actors is currently unknown.”