Security News > 2020 > April > Nazar: Old Iran-Linked APT Operation Monitored by NSA
A security researcher says he has uncovered an advanced persistent threat operation that started over a decade ago and which is referenced in the collection of National Security Agency hacking tools that the Shadow Brokers made public in 2017.
The researcher, who refers to the operation as 'Nazar', based on "Debug paths left alongside Farsi resources in some of the malware droppers," believes that the activity was centered around the 2010-2013 timeframe, based on submission times in VirusTotal.
While the scope of the operation is unclear - given the lack of access to victimology or command and control sinkholing - three malware samples were exclusively encountered on Iranian machines, and Nazar subcomponents were submitted to VirusTotal from Iran, Guerrero-Saade says.
The researcher revealed in a presentation at the OPCDE cybersecurity conference that based on the available evidence this could be an operation conducted by Iran-based hackers against entities in Iran.
"Somehow, this operation found its way onto the NSA's radar pre-2013," Guerrero-Saade wrote in a blog post on Nazar.