U.S. industry is improving its ability to internally discover and mitigate cyber attacks directed at their networks, but new threats from Iranian actors may pose new challenges for the defense and aerospace sector, according to a new report.
Cyber security company FireEye’s [FEYE] Mandiant group released its annual cyber trends report Wednesday, and named three new Iran-based threat actors poised to deliver advanced persistent intellectual property and data breach threats.
Facing growing threats, the private sector has seen an uptick in the number of cyber threats handled internally before having to be informed by law enforcement or other third party security groups.
“When it comes to detecting compromises, organizations appear to be getting better at discovering breaches internally,” Mandiant officials wrote in their report. “This is important because our data shows that incidents identified internally tend to have a much shorter dwell time.”
Mandiant found 62 percent of cyber attacks they studied between October 2016 and September 2017 were detected internally.
Improving capabilities for rapidly addressing network threats will be a necessary step to thwart cyber attacks by the Iranian advanced persistent threat (APT) groups named in the report, according to Mandiant.
“Iran has increased its cyber espionage capabilities and is now operating at a pace and scale consistent with other nation-state sponsored APT groups,” officials wrote in the report.
One group, known as APT33, has carried out cyber espionage operations against defense and aerospace companies, with specific attention to Western organization providing support for Saudi Arabia’s military.
Mandiant has also noted the group’s use of spear phishing campaigns against the aviation industry. Specifically, emails disguised as job postings contained links with malware needed to create a remote back door for APT33.
Two other groups, APT34 and APT35, are believed to be state-sponsored threat actors aimed at gathering intellectual property and operational intelligence for the Iranian government, according to the report.
Researcher found APT35 targets U.S. and Middle Eastern military personnel, as well as companies in the energy and defense industrial base. The report said the group has previously compromised three U.S. companies and successfully conducted reconnaissance on two other U.S. businesses.
“Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals,” Mandiant officials wrote. “Their list of victims currently spans nearly every industry sector and extends well beyond regional conflicts in the Middle East.”
The White House previously issued sanctions and indictments on March 23 against Iranians involved in a hacking network targeting U.S. businesses and universities.
While U.S. industry has improved at detecting threats and prioritizing cyber intelligence gathering, Mandiant found a lack of security implementation to prevent future attacks.
“We have observed that many organizations do not have formalized threat and vulnerability management functions with the authority and necessary visibility into all network enclaves, assets and applications, and patches and configuration changes are not applied in a consistent and timely manner across the enterprise,” officials wrote in the report.