FireEye Reveals Rise in Advanced Threat Activities by Iranian-Linked Ajax Security Team In Post Stuxnet Era

Evidence Linking Hacker Group to Iran Shows Increasing Sophistication in Attacks Targeting U.S. Defense Organizations and Iranian Dissidents

FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today released “Operation Saffron Rose,” a research report detailing the activities of a cyber-espionage group likely based in Iran. The group, which FireEye researchers are dubbing the Ajax Security Team, has progressed from mostly defacing websites in 2009 to full-blown espionage against Iranian dissidents and U.S. defense firms today. Evidence in the report suggests that Ajax’s methodologies have grown more consistent with other advanced persistent threat (APT) actors in and around Iran following cyber attacks against Iran in the late 2000s.

“There is an evolution underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding its offensive cyber capabilities,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “We have witnessed not only growing activity on the part of Iranian-based threat actors, but also a transition to cyber-espionage tactics. We no longer see these actors conducting attacks to simply spread their message, instead choosing to conduct detailed reconnaissance and control targets’ machines for longer-term initiatives.”

The targets of Operation Saffron Rose include Iranian dissidents and U.S. defense organizations. FireEye Labs recently observed the Ajax Security Team conducting multiple cyber-espionage operations against companies in the defense industrial base within the U.S. The group also targets local Iranian users of Proxifier or Psiphon, which are anti-censorship technologies that bypass Iran’s Internet filtering system.

Whether the Ajax Security Team operates in isolation or as part of a larger government-coordinated effort is unclear. The team uses malware tools that do not appear to be publicly available or used by any other threat groups. This group uses varied social engineering tactics to lure targets into infecting their systems with malware. Although FireEye Labs has not observed the Ajax Security Team using zero-day attacks to infect victims, members of the Ajax Security Team have previously used publicly available exploit code to deface websites.

FireEye uncovered information on 77 victims from one command-and-control (CnC) server found while analyzing malware samples disguised as Proxifier or Psiphon. Analyzing data on the victims, FireEye found that a large concentration had their time zones set to “Iran Standard Time” or language set to Persian.

Below is a detailed breakdown of victim data:

  • 44 had their time zone set to “Iran Standard Time,” and 37 of those also had their language set to Persian.
  • Of the 33 victims that did not have an Iranian time zone setting, 10 had Persian language settings
  • 12 of the victims had either Proxifier or Psiphon installed or running (all 12 had a Persian language setting, and all but one had their time zone set to “Iran Standard Time”)

Iran has been publicly identified in advanced cyber attacks since 2009, when the plans for a new U.S. presidential Marine Corps One helicopter were found on a file-sharing network in Iran.[1] In 2010, the “Iranian Cyber Army” disrupted Twitter and the Chinese search engine Baidu, redirecting users to Iranian political messages.[2] In 2013 the Wall Street Journal reported that Iranian actors had increased their efforts to compromise U.S. critical infrastructure.[3] Finally, over the past year, another group called Izz ad-Din al-Qassam launched “Operation Ababil,” a series of DDoS attacks against many U.S. financial institutions including the New York Stock Exchange.[4]

The report is available here and a related blog post is here.

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,200 customers across more than 60 countries, including over 130 of the Fortune 500.

Media contact:

Vitor De Souza

FireEye, Inc.



© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

1 Borak, D. (3 Mar 2009) “Source in Iran views Marine One blueprints,” Marine Corps Times.

2 Wai-yin Kwok, V. (13 Jan 2010) “Baidu Hijacked By Cyber Army,” Forbes.

3 Gorman, S. & Yadron, D. (23 May 2013) “Iran Hacks Energy Firms, U.S. Says,” Wall Street Journal.

4 Walker, D. (8 Mar 2013) “Hacktivists plan to resume DDoS campaign against U.S. banks,” SC Magazine.