The following document was obtained from the website of the Marshfield, Wisconsin Chamber of Commerce.
FBI Liaison Alert System #M-000045-TT
- 10 pages
- TLP: GREEN
- December 5, 2014
The FBI is providing the following information with HIGH confidence:
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.
According to public network registration information, IP addresses previously utilized by this group were assigned to “Tarh Andishan.” The group primarily utilized two Iran-based IP addresses to conduct its activity, 220.127.116.11 and 18.104.22.168. There has been no recent activity from these IP addresses since early 2014; however, the group now primarily utilizes a series of proxy or midpoint infrastructure in support of their computer network operations. The most recent midpoint infrastructure used by this group was located in the United Kingdom and the Netherlands.
Tools: The following tools have been known to be utilized by the cyber actors.
Cain and Abel
Jasus.exe size: 118,272 MD5: 53841511791E4CAC6F0768A9EB5DEF8A Type: ARP POISON TOOL
Privesc.exe size: 51,200 MD5: DABF638EB53070CDC7B10BFA5E4E8142
U.exe size: 60,928 MD5: DDA3E5629A0E8FB63A3E19027AE45458
IP Addresses: The following IP addresses have been observed to be utilized by the cyber actors.
Identify creation of users and databases named “haha”.