Last week, it emerged that Citrix had been hacked, potentially exposing large amounts of customer data. The company had been notified by the FBI on March 6 that international cyber criminals had likely gained access to the internal Citrix network.
As more information began to filter through, another, little known company entered the fray: Resecurity. And the cybersecurity firm had some bold claims: Resecurity said the attacks were perpetrated by an Iranian-linked group it calls IRIDIUM, which it claimed has hit more than 200 government agencies, oil and gas firms and technology companies.
The firm said it first reached out to Citrix on December 28 2018 to share an early warning notification about a targeted attack and data breach. This was later confirmed by Citrix, which told tech site The Register that a blog by Stan Black, Citrix CSIO referred “to the same incident" described by Resecurity: "We have no further comment at this time, but as promised, we will provide updates when we have what we believe is credible and actionable information."
Resecurity also accused IRIDIUM of perpetrating a recent cyber-attack on the Australian parliament, despite the fact that the government itself had blamed China.
Indeed, some people have questioned the validity of Resecurity’s claims, including the Risky Business cybersecurity podcast. Many in the community were suspicious about the way Resecurity seemingly appeared out of nowhere with bold claims about a major hack. Others criticised a lack of detail, which the firm since added to its blog.
Who is Resecurity?
It’s true the company was suddenly thrust into the limelight. I got in contact with Resecurity to try to understand more about its origins and findings. Charles Yoo, the firm’s CEO describes how the company was originally founded in 2016, with a focus on threat intelligence, network reconnaissance and risk management.
At this point Resecurity focused on investment in research and development around tools and platforms that could help enterprises and law enforcement to identify cybersecurity threats, monitor threat actors and collect pre-emptive intelligence. The firm didn’t officially launch until 2018 – which explains why people hadn’t heard much about them before.
According to Yoo, clients include Fortune 500 companies, law enforcement, and government agencies across domestic and international geography.
“We feel that there is room for new players in this space,” says Yoo, who says his firm is competing with “well-established companies specializing in cyber threat intelligence such as Symantec, RSA, FireEye, CrowdStrike, AlienVault, Looking Glass, Digital Shadows, and Flashpoint – whom we have a lot of respect for pioneering the space”.
And in fact, says Yoo, the company prefers to “have a low profile” and “focus on high-quality intelligence acquisition for our customers”.
When asked about the questions surrounding Resecurity, he says: “We respect everyone’s opinion, however we have no additional comments at this time.”
During 2018, the company participated in several industry events including Amazon re:Invent (USA, Silver Sponsor), GovWare 2018 (Singapore, Gold Sponsor), Internet SecurityConference (ISC) 2018 (China, Gold Sponsor). It will participate in the upcoming 31st Annual FIRST Conference 2019 in Edinburgh as a Diamond Sponsor.
Who is IRIDIUM?
Resecurity was confident in its claims that IRIDIUM had perpetrated the Citrix hack – as well as other high-profile cyber-attacks. Yoo says the name “IRIDIUM” was assigned by Resecurity internally. “It is an extremely interesting group of threat actors focused on high-value targets such as financial institutions, critical infrastructure - primarily oil and gas - and government resources based in ‘Five Eyes’ countries and the Middle East.”
“The most active period of their visibility and malicious activity was during winter 2018, when we alerted several large enterprises regarding malicious activity directed by the group,” says Yoo.
According to Yoo, the group has targeted the following:
So how was the group identified? “Interestingly, some of their members have been identified as the result of Dark Web monitoring,” says Yoo. Members had been caught when they attempted to monetize some of their past victims through the underground marketplaces, “which is typical for financially motivated cybercriminals”, Yoo adds.
“Due to specifics of their targets, further analysis of their key members, timeline of the incidents, monitored network intelligence and other previously undisclosed targets, we have a high confidence that a nation-state has direct association with them, or recruited them for conducting cyberespionage activity based on their tasks.”
He points out that in all observed cases of the group’s activity, the end victim has been attacked through “password spraying” with further attempt to escalate privileges and conduct network intrusion through sign-on (SSO), VPN or other available channels, leading to massive data exfiltration.
Malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad, says Yoo. In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password.
This can quickly result in a targeted account becoming locked-out, because commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack - also known as the “low-and-slow” method - the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. “This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts,” Yoo says.
Password spray campaigns typically target SSO and cloud-based applications utilizing federated authentication protocols, says Yoo. “An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.”
While some have said attribution to Iran is unlikely – many say China and Russia provide a much bigger threat with far vaster cyber offensive capabilities – there is some evidence that Iran is a player it its own right.
In February 2018, the Department of Justice in the Southern District of New York indicted nine Iranian nationals associated with the Mabna Institute, for computer intrusion offenses. The techniques and activity described, while characteristic of Mabna actors, are not limited solely to use by this group, says Yoo. He points out that some of the uncovered targets identified during IRIDIUM activity investigation “had significant overlap with their past victims compromised in 2014-2017 period: before the indictment had been released".
This isn’t the last we’ll see of Resecurity. Yoo told me the firm is working on several intelligence reports at the moment related to internet of things security, botnet activity, and emerging cybersecurity threats analysis in Asia-Pacific and the Middle East.
Resecurity’s claims are bold, but the firm is a new company in an already crowded cybersecurity market. And one thing is certain: If you didn’t know who Resecurity were a week ago, you definitely do now.