Source: Hakan Gider via Alamy Stock Photo
Cybercriminals broke into the systems of 23 leading Iranian insurance firms and SnappFood, Iran's leading online food ordering service, dumping millions of user profiles.
The sample from the insurers' leak included names, phones, identity numbers, addresses, passport numbers, and other sensitive details from the insurance companies including Kowsar, Atieh, Asia, and Alborz. Security researchers at Israel-based threat intel firm Hudson Rock, who discovered the data dump, confirmed that the data "appears to be genuine."
SnappFood Skewered
After the attack on the insurance firms, the attackers — operating under the alias "irleaks" (presumably indicating Iran Leaks) — boasted that they had broken into the systems of SnappFood, Iran's leading online food ordering service, and claiming to have exfiltrated 3TB of highly sensitive data.
This data is said to include data from 20 million user profiles (emails, passwords, phone numbers), 51 million users' addresses and 600,000 credit card records.
Snappfood issued a holding statement a day later, saying that it was was working with local police agencies to "identify and remove the source of pollution caused by the actions of this hacking group."
StealC Info-Stealer
Hudson Rock researchers determined that a computer used by a Snappfood employee — most likely a software developer — was recently infected by the StealC info-stealer. Although unconfirmed as the source of the attack, the malware created a conduit through which sensitive data may have been extracted.
"The infection of this employee's computer resulted in many sensitive credentials of the organization being accessible to some hackers and may have been used as an initial attack vector against the company," Hudson Rock explained in its blog post. "Some of the data includes login details to the company's Confluence server, Jira server, and other development related URLs."
The motives behind the twin attacks remain unclear but circumstantial evidence points towards cyber espionage rather than profit-driven cybercrime, according to Hudson Rock.
"Given the extensive involvement of leading companies in the breaches, the carefully curated samples, and that the threat actor's account is new to the forum, it seems probable that this is a state-sponsored attack intending to sow internal chaos within Iran," says Alon Gal, CTO at Hudson Rock. "However, it's also plausible that it's a sophisticated threat actor who adeptly infiltrated multiple organizations within Iran."
Insider Error?
The most likely cause of the initial StealC infection came from a software developer at Snappfood downloading a software package infected by the malware, a pattern in previous similar attacks. But that remains unconfirmed and some form of spear phishing attack or other unknown vector may well be to blame.
"The StealC type info stealer that infected an employee at SnappFood is a probable initial attack vector that may have been used in the attack, though we can't know this for certain," Hudson Rock's Gal explained. "Threat actors often take advantage of corporate credentials that are stolen by info stealers, and in the case of this SnappFood compromised employee Hudson Rock did identify many sensitive credentials that could have been used against the organization."
StealC has featured in malware-spreading campaigns by cybercriminals looking to infect as many computers as possible. These groups (sometimes known as initial access brokers) resell any compromised credentials to often more experienced threat actors whose expertise is in identifying critical credentials, and infiltrating organizations to perform ransomware attacks, cyberattacks, and account takeovers.