Written by Sean Lyngaas

When security researchers began warning about gaping vulnerabilities in virtual private network products months ago, they were hoping to head off the type of sweeping, data-stealing campaigns that could come from state-sponsored hacking groups.

The VPN software, made by companies like Palo Alto Networks and Pulse Secure, and used by corporations around the world, offers an invaluable foothold into corporate networks for hackers able to breach the software.

Iran-linked hackers are showing what happens when those warnings go unheeded. They are using the unpatched vulnerabilities as a tip of the spear in their long-running effort to spy on companies in the aviation, oil and gas, and telecommunications sectors, Israeli company ClearSky CyberSecurity said in research released Sunday.

Companies in Israel, Saudi Arabia and the United States are among the targets.

The report connects three years of activity from various hacking groups that researchers say appear to be operating on behalf of Iran. The hacks have come in waves in 2017 and 2019, according to ClearSky, and they will keep coming in this fashion so long as VPN software leaves organizations’ front door open to attackers.

“We assess that the Iranians will continue to use [recently revealed] vulnerabilities in their attacks before the victims will patch them,” Ohad Zaidenberg, ClearSky’s senior cyber intelligence researcher, told CyberScoop.

The research builds on previous reports that Iran-lined hackers were using vulnerabilities in VPNs to compromise their targets and showing a greater interest in energy-sector companies.

Saudi cybersecurity officials in January, for example, said that attackers had exploited a VPN flaw as part of a data-wiping attack at an unnamed Middle East organization. That same month, industrial cybersecurity company Dragos documented how an Iran-linked group it calls Parisite had increasingly targeted North American electric utilities.

“The exploitation of recently disclosed VPN vulnerabilities is quickly becoming a popular point of access for these groups,” said Saher Naumaan, senior threat intelligence analyst at BAE Systems. From there, the hackers can exfiltrate data or release data-wiping malware, she added.

The research is also the latest evidence that Iran will use its hacking capabilities to cast a wide net to collect data that could be useful for future operations. Last fall, Microsoft warned that one Tehran-linked group, APT33, was throwing password guesses at thousands of organizations, many of them which operate in critical infrastructure sectors.

Naumaan, who closely tracks hackers associated with Iran, pointed out that the eventual target of an attack could be multiple organizations removed from the initial breach.

“Aerospace, utilities, energy, telcos, and IT companies are prime targets, often for intelligence collection,” Naumaan told CyberScoop. “But some targets might provide supply chain access to other organizations, which could give the groups a way in to interests in both the Middle East and North America.”