In the final days of 2021, a cybersecurity firm in Iran detailed a startling discovery: a mysterious piece of malicious code in a server made by Texas-based Hewlett Packard Enterprise Co.
The Tehran-based company, Amnpardaz Software Co., is little known outside of Iran. The same can be said about cybersecurity inside the country: For most of the world, visibility inside Iran is vanishingly low.
The most infamous hack there happened more than a decade ago — the suspected U.S. and Israeli operation to sabotage Iranian nuclear equipment more than a decade ago with advanced tools, known as Stuxnet. There have been few revelations since then.
It caught security professionals’ attention, then, when Amnpardaz in December announced its discovery of the malware. Amnpardaz said its technicians had identified the suspicious software a year earlier when a customer supplied an HPE server that appeared to be malfunctioning.
The machine had been operating normally when, seemingly by its own volition, it began repeatedly deleting its hard drives.
Amnpardaz investigated and found that someone had embedded a skillfully designed piece of malware in the HPE server’s Integrated Lights Out firmware, which enables IT managers to remotely access machines — even when they’re powered off.
The malware disabled key security controls on the server, Amnpardaz said. The company said it found evidence that hackers had used the malware to remotely access the server for at least six months and then triggered a self-destruct cycle to erase evidence of the attack.
“The attackers had decided to wipe the server’s disks and completely hide their tracks,” Amnpardaz wrote in its report. “Clearly, they didn’t think their malware will be found.”
The discovery reveals an advanced hacking operation in which attackers spent months gathering data while maintaining their secrecy. The identity of the intruders remains a mystery, though the thrust of the operation suggests a motive beyond traditional cybercrime.
In a statement, HPE said the malware used a vulnerability in the iLO firmware that the company fixed in 2017. Upon studying Amnpardaz’s findings, Eclypsium Inc., an Oregon-based firmware security company, said the malware had “proven to be stealthy, persistent and damaging,” with a capability of taking “virtually omnipotent control” over a breached machine.
Once rarely detected, advanced hacks involving manipulations of computer firmware and hardware are now spotted more frequently. (Most hacks involve attacking flaws in computer software).
In January, Russian security firm Kaspersky Lab Inc. published details about a similar attack which the company said likely traced to China. In another case, Slovakian security firm ESET LLC said in 2018 that it had seemingly caught Fancy Bear, the suspected Russian hacking group, using its own form of hard-to-detect firmware attacks.
In response, technology companies are rolling out new products to better block such attempts. Microsoft Corp., for example, in 2019 began pushing systems that use new silicon chips, which the company said are designed to help stop nation-state hacking groups from being able to load malicious code buried in firmware.
However, the sheer number of components and the amount of low-level code present in modern computer systems, along with the vastness of the technology supply chain, gives attackers an inherent advantage.
Amnpardaz didn’t speculate on who was behind the attack. But if the firm’s discovery is any indication, the cyber arms race will only continue.
Read full story on Bloomberg