An Iranian cyber-group has launched espionage campaigns using customized malware against United States defense companies, FireEye researchers said.

The group, with the name Ajax Security Team, is behind an ongoing series of attacks against both U.S. defense companies as well as individual Iranians who attempt to bypass the Iranian government’s Internet censors, FireEye said in a report published Tuesday.

Ajax Security Team recently infected computers at U.S. defense companies by sending emails and social media messages to attendees of the IEEE Aerospace Conference. Recipients who clicked on the links were directed to, a malicious website which proceeded to download malware on their computers.

The group used custom-malware called Stealer, which collected information about compromised computers and also logged keystrokes. Stealer could grab screenshots and steal information displayed within Web browsers and email software. Stealer encrypted that data before sending it to remote servers under the group’s control.

FireEye did not disclose the name of the companies that had been targeted. Researchers have not yet been able to determine what data might have been stolen.

Ajax Security Team did not just target U.S. Defense companies, as FireEye uncovered a separate operation against Iranians trying to circumvent government censors to view banned online content. There was also evidence the group engaged in credit card fraud. The fact that it has other operations in progress suggests this isn’t a government-controlled group.

The group is led by two members known as “HUrr!c4nE!” and “Cair3x.” While the group originally began by defacing websites, it appears the members became more political after Stuxnet,  FireEye researcher Nart Villeneuve said. The Stuxnet virus significantly damaged Tehran’s nuclear program back in 2010, and is widely believed to have been launched by the U.S. against Iran.

Even though FireEye believes Ajax Security Team is the first Iranian group to use custom-built malware for espionage, this isn’t the first time Iranian hackers have been implicated in attacks against U.S. targets. Experts suspect Iranian cyber-attackers were behind the series of distributed denial-of-service attacks that disrupted the online banking sites for several U.S. financial institutions over the past two years.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply