Iridium

Description

(Kaspersky) Iridium is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications, according to security firm Resecurity.

A researcher has attributed a recently publicized attack on Citrix’ internal network to the Iranian-linked group known as Iridium – and said that the data heist involved 6 terabytes of sensitive data.

The culprit is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications and services for further unauthorized access to virtual private networks and single sign-on systems, according to Resecurity.

“[Iridium] has hit more than 200 government agencies, oil and gas companies and technology companies, including Citrix Systems Inc.,” they said. Threatpost has reached out for further details as to how the firm is linking the APT to the attack and will update this post accordingly.

Names

Name	Name-Giver
Iridium	Resecurity

Country

• Iran

Motivation

• Information theft and espionage

First Seen

2018

Observed Sectors

• Government
• Oil and gas
• Technology

Tools

• China Chopper
• LazyCat
• Powerkatz
• Recon
• reGeorg
• Ckife Webshells

Operations

• 2018-12: Attacks on Australian government https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/ https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/
• 2018-12: Breach of Citrix https://threatpost.com/ranian-apt-6tb-data-citrix/142688/

Information

• https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/

Other Information

Uuid

529edb3c-a5dc-4438-a3ec-a078bc590adc

Last Card Change

2020-04-14