IronNet Blog

Analysis of the Iranian cyber attack landscape

Table of Contents

1. Most recent Iranian cyber attack news and attack campaigns

2. Iranian cyber attack history and strategy

3. Iranian cyber attack campaign updates by APT group

Iran often adopts an asymmetric warfare strategy to accomplish its political and military goals, and its development of cyberwarfare capabilities adds to this asymmetric toolkit, allowing the country a low-cost means to conduct espionage and attack stronger adversaries. A risk-averse actor, Iran generally seeks to avoid direct military confrontation against conventionally superior foes. This makes the cyber realm an optimal choice for attack as it provides a means for Iran to exploit enemy vulnerabilities at a low intensity while also minimizing the risk of escalation or retaliation. Over the last decade, Iran has waged a number of disruptive and destructive cyber campaigns against government entities and companies alike, becoming infamous for its deployment of wiper malware as well as its retaliatory attack strategy. The threat of Iranian cyber operations continues to rise as challenges in relation to the renewal of the 2015 Iranian Nuclear Deal persist and regional tensions, specifically between Israel and Iran, escalate. As Iran increases collaboration with Russia and China in matters of policy, security, and trade, it is likely there will be cooperation in matters of offensive and defensive cyber operations, placing the U.S. in a precarious position as a main adversary of all three countries. This article provides an overview of the Iranian cyber threat landscape, including the history of Iranian cyber strategy, the most recent news regarding its attack campaigns, and descriptions of major Iranian cyber threat groups.

Most recent Iranian cyber attack news and attack campaigns

OilRig ‘Out to Sea’ Campaign

TLDR: OilRig is leveraging a new backdoor dubbed Marlin as part of a long-running espionage campaign that started in April 2018. Victims of the campaign, which researchers named ‘Out to Sea’ [PDF], include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the UAE.

More information: Over the course of three and a half years, OilRig has used various backdoors, starting with DanBot, as well as using the Shark backdoor in April 2021 before transitioning to the Milan backdoor and the new backdoor Marlin in August 2021. Marlin is a notable split from OilRig’s typical TTPs. Danbot, Shark, and Milan use both DNS and  HTTP/S for C2 communications, while Marlin uses the OneDrive API for C2 communications. Post-intrusion activities include lateral movement, as well as data collection and exfiltration via browser-data theft and a keylogger. OilRig uses two initial access vectors: spearphishing and through ITbrain, which is a remote administration software, used in conjunction with the remote access tool TeamViewer.  

Iran MosesStaff APT

TLDR: Cybereason recently released a report detailing the Iranian threat actor Moses Staff, which was first spotted in October 2021. Moses Staff leverages both espionage tactics and ransomware to advance Iran’s geopolitical goals, but instead of using ransomware for financial gain, Moses Staff encrypts files for two purposes: inflicting damages by disrupting critical business operations and covering the attacker’s tracks. 

More information: Cybereason detailed a new RAT dubbed StrifeWater, which is assessed to be used specifically in the initial stage of compromised and is later replaced with other executables. StrifeWater is used to create a foothold in victim and environments, and it has various functions, including executing system commands, screen capturing, establishing persistence, listing system files, and downloading updates and additional modules. The RAT was likely not detected before as it has the ability to remove itself from the victim machine in time for the deployment of malware. Moses Staff is deemed to be a politically motivated group that consistently makes a conscious effort to evade detection until the last stage of attack where they deploy the ransomware to disrupt operations, obfuscate espionage activity, and inflict damage to systems.

Iran hackers targeting VMware

TLDR: SentinelOne has recently released a report on an Iranian-aligned threat actor targeting VMware Horizon Log4j vulnerabilities to deploy ransomware. Dubbing the threat actor  ‘TunnelVision,’ whose TTPs overlap with those of Charming Kitten and Phosphorus, the researchers observed that the group is characterized by the wide exploitation of one-day vulnerabilities in specific regions. 

More information: TunnelVision has been observed exploiting Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and the recent Log4Shell vulnerabilities. When exploiting these flaws, the threat actor almost always deploys a tunneling tool, the most common of which are Fast Reverse Proxy Client (FRPC) and Plink. TunnelVison has been exploiting the Log4j vulnerability in VMware Horizon to run PowerShell commands, and the group’s activities have been linked to the deployment of ransomware.

MuddyWater abuses Slack API to steal airline data 

MuddyWater was discovered to be deploying a new backdoor called ‘Aclip’ that abuses the Slack API for covert C2 communications. 

The Aclip backdoor uses the Slack API to send system data, files, and screenshots to the C2 while receiving PowerShell commands at the same time. Researchers first spotted the activity in March 2021, but the MuddyWater campaign began in October 2019 targeting an Asian airline to steal flight reservation and continued to 2021.  

MuddyWater targeting telecoms in Middle East and Asia

Symantec has identified MuddyWater as responsible for a new cyberespionage campaign targeting telecommunication and IT service providers in Asia and the Middle East for over six months. 

Leveraging legitimate tools, publicly available malware, and living-off-the-land tactics, MuddyWater focused on targeting Exchange Servers as part of a larger effort to deploy web shells and establish a backdoor within target networks. Once they successfully breached a network, MuddyWater attempted to steal credentials and move laterally. In some cases, the threat actors may have been using compromised organizations to gain access to other victims in supply-chain-type attacks. 

Geopolitical

  • The eighth round of talks in Vienna to discuss the JCPOA commences. Iranian officials state the delegations agreed that “good progress” was made during the seventh round that ended 10 days earlier, and there is now a “suitable framework” to take the talks forward.

  • The IRGC fires 16 surface-to-surface ballistic missiles at the close of five days of military drills that generals said were a warning to Israel.

Siamese Kitten

Iranian APT group Siamesekitten [PDF] was identified as responsible for a supply chain attack campaign that targeted IT and communication companies in Israel. Siamesekitten has been active since 2018 and has in the past targeted oil, gas, and telecom companies. Researchers have linked the group with low confidence to APT33 and APT34. The attacks occurred in two waves in May and July 2021 and involved impersonating IT companies and their HR personnel to lure IT experts, compromise their computers, and gain access to the company’s clients. The purpose of these attacks and their focus on IT and communication companies is believed to be to facilitate supply chain attacks on their clients. The group's main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward deploying ransomware or wiper malware.

Tortoiseshell Facebook Attack Campaign

On July 15th, Facebook revealed it tracked and partially disrupted a long-running Iranian attack campaign that used accounts to pose as recruiters and draw in US targets before sending them malware-infected files or tricking them into entering sensitive credentials to phishing sites. Facebook stated that the attackers also pretended to work in hospitality, medicine, journalism, NGOs, or airlines, sometimes conversing with their targets for months with profiles across various social media platforms. Unlike a number of past cases of Iranian state-sponsored social media phishing that have focused on Iran's neighbors, this latest campaign appears to have largely targeted Americans and (to a lesser extent) British and European victims. Facebook stated it has removed "fewer than 200" fake profiles from its platforms as a result of the investigation, as well as notified roughly the same number of users that they had been targeted. 

The hackers behind the campaign have been identified as Tortoiseshell, which is believed to work on behalf of the Iranian government. The group, which has some loose ties and similarities to other Iranian APTs like APT34 and Charming Kitten, first came to light in 2019. At that time, Symantec observed the attackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the customers with malware known as Syskit. Facebook has spotted that same malware being used in this most recent campaign, but this operation has a far broader set of infection techniques and targets outside of the Middle East. The social media platform says it tied the group's malware samples to a specific Iranian-based IT contractor called Mahak Rayan Afraz, which has previously provided malware to the IRGC, indicating a link between the Tortoiseshell group and the Iranian government.

Charming Kitten Impersonation Campaign

Charming Kitten members, claiming to be a "senior teaching and research fellow" at SOAS university in London sent targeted emails to a select number of victims from fewer than 10 organizations in the US and UK, inviting them to an online conference called “The US Security Challenges in the Middle East.” The email would start a conversation between the attackers and victims (sometimes being quite lengthy to establish trust), which would include the attackers encouraging the victim to open a “registration link” hosted by a real website that had already been compromised by the attackers. This then offered a means to log on using email providers, which could then capture the passwords and user names. 

Stealing such credentials is not new, but the use of a real website marked a change as it was highly unusual and more sophisticated for this group. The fact the attackers were attempting to connect in real-time with victims over phones and video conferences for conversations rather than just engaging over email is also unusual, suggesting confidence in the attackers’ skills in English and in impersonation (although it is not clear if any conversations ended up taking place). The operation targeted individuals from three groups: Senior think-tank personnel researching the Middle East, journalists focused on the region, and academics, including senior professors. It is thought they were likely targeted because they might have information on foreign policy of countries towards Iran, negotiations over Iran's nuclear program, or information about Iranian dissidents.

State-sponsored APT Agrius

In late May, SentinelLabs observed a new Iranian state-sponsored APT, which they dubbed Agrius, as conducting an extensive espionage/destruction campaign against Israeli targets since 2020. Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks. Masquerading the attacks as ransomware provides the threat actors with plausible deniability, which allows the nation-state to send a message without taking direct blame.

Agrius exploits publicly facing VPN services (primarily ProtonVPN) for initial access, deploying web shells to tunnel RDP traffic as well as leveraging compromised accounts and using a variety of publicly available tools for lateral movement and credential harvesting. On hosts of interest, Agrius deploys its own custom malware - a .NET backdoor called 'IPsec Helper,' which registers itself as a service to establish persistence. The APT has also deployed two different wipers:  novel wiper malware 'Apostle' and DEADWOOD (aka Detbosit), which has been used in previous Iranian wiper attacks against Middle Eastern targets.

OilRig’s new SideTwist backdoor variant

In April 2021, a new campaign by OilRig was discovered by researchers at Checkpoint in which the group employed a new backdoor variant — dubbed SideTwist — against what appears to be a Lebanese target. Using the same initial intrusion vector as several of its previous campaigns, OilRig delivers its malware through a job opportunity document containing malicious macros with DNS (Domain Name System) tunneling that executes the payload and establishes persistence. The second stage payload, SideTwist, has not been seen before in OilRig operations, though its functionality, which includes download, upload, and shell command execution, is similar to other backdoors the group has employed in past campaigns (e.g. DNSpionage and TONEDEAF).

Infy’s Lightning & Thunder active again

In early 2020, new versions of Foudre — a malware associated with the APT (Advanced Persistent Threat) Infy (discussed in detail below) — emerged with new and improved elements from previous versions. This newest edition of the malware includes novel documents containing macros that extract the embedded package once opened and execute it once the document closes (instead of having the victim click on a video link as before). The malware also contains a new component called Tonnerre (French for “thunder”) — a second-stage payload used for persistence, surveillance, and data exfiltration. Once the malware is dropped and executed through the lure documents, the Foudre backdoor connects to the HTTP command-and-control (C2) server and downloads a self-extracting archive with full-featured Tonnerre malware. Using dual C2 communication, Tonnerre uses HTTP to communicate with the first server for commands and updates and FTP to communicate with the second server to which the stolen data is exfiltrated. Camouflaging itself as legitimate software, the executable is exceptionally large at 56MB — an unusual size for malware samples that may allow it to avoid detection as vendors typically avoid large file sizes. This campaign also strays from Infy’s usual target group of Iranian individuals and entities, with victims of Foudre located in Sweden, the Netherlands, the U.S., along with others across Europe, Iraq, and India.

Now, there are some key differences to note in the newest versions of Foudre:

  • DGA Formula: The algorithm for generating domains has been updated and includes the TLDs (top-level domains) of .space, .net, .dynu.net, and .top to evade detection of security vendors using the previously published DGA (domain generation algorithm)
  • C2 RSA Verification: The malware verifies that the server is authentic by downloading a signature file that is signed by the server and ensuring that it is the right one to make the operation more resilient to take-downs
  • The Foudre string no longer present: The window used for keylogging was originally named “Foudre” (giving the malware its name), but has now been renamed to “form1” to help the malware evade signature-based detection

Charming Kitten’s ‘BadBlood’ campaign

Cybersecurity researchers recently uncovered a phishing campaign, dubbed BadBlood, aimed at 25 senior professionals specializing in genetic, neurology, and oncology research in the U.S. and Israel. The campaign was carried out in late 2020, but it was detected, analyzed, and published in late March 2021. It is attributed to Iranian state-sponsored APT Charming Kitten, whose other recent attacks include targeting world leaders attending the Munich Security Conference and the T20 Summit in Saudi Arabia in an effort to steal their email credentials, targeting Israeli scholars and U.S. government employees in another credential-stealing effort last July, and also attacking the re-election effort of former President Donald Trump.

Of note:

  • The bottom line is that BadBlood is not one of its kind; however, for Charming Kitten, it implies a shift in target and collection priorities as they usually target dissidents, academics, diplomats, and journalists in order to further Iranian IRGC interests.
  • The motives have not yet been definitively determined, but are guessed to be the result of a one-off attempt to gather intelligence that potentially can be used in further phishing campaigns. Additional investigation will reveal more about the goals of Charming Kitten regarding the medical sector.

MuddyWater’s ‘Earth Vetala’ campaign

In early March 2021, Trend Micro detected activity targeting numerous organizations in the Middle East and neighboring regions in a campaign dubbed Earth Vetala. The cyber espionage campaign has been attributed to Iranian APT MuddyWater (aka Static Kitten) and is reported to be actively ongoing, targeting government agencies, as well as entities in the sectors of tourism and academia, within countries including the UAE, Saudi Arabia, and Israel. The attackers behind Earth Vetala use features of remote access software to steal sensitive information or download malware for additional cyber operations, leveraging spearphishing emails and lure documents containing embedded links to a legitimate file-sharing service (Onehub) to distribute archives containing the ScreenConnect remote administrator tool and RemoteUtilities software.

Once accessing a victim, the attackers would determine if the user account was an administrator or normal user and then download post-exploitation tools, including utilities to dump passwords, reverse-tunneling tools, and custom backdoors. They would then initiate communication with additional C2 infrastructure to execute obfuscated PowerShell scripts. As MuddyWater is assessed to be primarily focused on cyber-espionage, it is very likely that data theft is the primary objective behind the Earth Vetala campaign.

Iranian cyber attack history

Since the Iranian revolution and the establishment of the current Islamic Republic in 1979, Iranian leadership has been in near-constant conflict with the West and several of its Middle Eastern neighbors. The United States’ previous alliance with the overthrown Pahlavi dynasty and the ensuing hostage crisis set the stage for the tensions that would follow between the two nations in the coming decades. The U.S. and its allies' efforts to contain, counter, and undermine the regime’s influence have taken a variety of forms, including diplomacy, legal action, and economic sanctions. Iran’s determination to establish itself as a nuclear power has also exacerbated the West’s growing concern over the rogue nation’s military ambitions, which strategically include Iranian cyber attacks.

Thus, the 2010 discovery of a sophisticated and largely unprecedented cyber-sabotage campaign targeting Iran’s nuclear facilities at Natanz would prove pivotal in the relationship between the U.S. and the Islamic Republic. While the U.S. government has never claimed responsibility for the Stuxnet virus that disabled hundreds of Iranian centrifuges, many have asserted that the operation was the work of U.S. and/or Israeli intelligence. This debate aside, Iranian officials wasted little time in publicly blaming the U.S. and Israel for the attacks. Following the Stuxnet attacks, Iran set itself on a course to aggressively develop its own cyberspace capabilities.

Additionally, on April 11th, 2021, it was reported that Iran’s Natanz nuclear facilities experienced a blackout after a large explosion destroyed the internal electric grid that supplies its underground uranium enrichment centrifuges. Though initial reports declared the attack as a cyber operation conducted by Israeli actors, evidence surfaced several days later indicating that the damage actually resulted from a physical attack conducted by a suspect that the Iranian state has identified as Reza Karimi. Nonetheless, Israel remains the prime suspect in the sabotage, and this incident has further inflamed tensions across the Middle East where the shadow war between Iran and Israel continues to escalate. Israel and Iran are well-known for their ongoing historical tensions and tit-for-tat attacks, and an amplification in tensions between the two countries has nearly always resulted in increased offensive cyber attacks. Given Iran’s history of using offensive cyber capabilities to respond to attacks or perceived threats to its national interests, there is a significant likelihood that Iran may choose the cyber realm as an attack vector to respond to this recent sabotage it attributes to Israel. The U.S. has been put in a difficult position because of this incident, as it is reluctant to publicly condemn its long-time ally but also does not want to distance itself from Iran as it seeks to revive the nuclear deal. It is possible that the U.S. may also become a target for Iran’s cyber retaliation, and if so, it is likely that Iran will target both government and private sector organizations in the U.S., specifically those in critical sectors like energy, financial services, healthcare, and shipping.

Iranian cyber attack strategy

Lacking the military and economic might of its Western rivals, Iranian leadership views the cyber realm as an asymmetric tool to do damage to their enemies and effectively gather intelligence on foreign governments, corporations, academic institutions, and NGOs — in addition to their own citizens. Once viewed as cyberspace “amateurs,” the Iranian intelligence apparatus has steadily and conspicuously grown its domestic cyber know-how. While Iranian cyber operators may not be viewed as “top tier” in terms of their technical sophistication, the regime’s willingness to conduct aggressive and destructive cyber operations dramatically increases the threat potential posed to those caught in the crosshairs. Highly disruptive operations, presumably carried out at the behest of the Ayatollah, have included drive-wiping attacks against Saudi oil companies and large-scale denial of service attacks against the U.S. financial sector. These actions have displayed open contempt for international norms and indicate the regime’s willingness to retaliate for a variety of perceived transgressions within the cyber domain.

As the last two years have given witness to dozens of malicious cyber campaigns attributed to numerous Iranian threat actors, it appears the regime’s plan has come full circle — cyber has become a full-fledged, core component of Iran’s strategy to harass, contest, and punish its adversaries across the Middle East and the globe.

Cooperative agreement with Russia and China

In January 2021, Iran signed a cooperation agreement on cybersecurity and information and communications technology (ICT) with Russia, establishing technology transfer, combined training, coordination in the UN and other multilateral forums, and cybersecurity cooperation between the two countries. The agreement presents itself as largely defense-oriented, driven by the two’s shared animosity toward the U.S., desire for greater internet censorship, and ambition to reduce dependence on Western technology. Due to mutual suspicion and conflicting goals, the cyber cooperation between Moscow and Tehran will likely be less focused on developing offensive capabilities and more focused on intelligence sharing and cyber defense improvement, which can have major implications for U.S. cyber initiatives [PDF] and security. With the United States being a key adversary of both countries, much of the cooperation and intelligence sharing will be focused on gathering insight on U.S. malware and TTPs (tactics, techniques, and procedures) in order to thwart future U.S. cyber operations. Russia could also help Iran to reverse-engineer the malware that has been deployed against it, and on an even more concerning note, it is possible that the technologies and TTPs that Tehran acquires from Moscow could be passed on to Iranian proxies across the Middle East, including Hezbollah and militia groups in Iraq and Yemen — some of which have already displayed sophisticated hacking capabilities.    

In March 2021, Iran and China signed a 25-year-long strategic cooperation agreement, establishing a long-term partnership focused on economic and defense collaboration. On the economic side, the deal includes Iran providing a discounted oil supply to China,  and in return, investing $400 billion in Iranian critical infrastructure — like railways, health care, IT, and telecommunications — over the next 25 years. On the security side, the deal seeks to increase military and defense cooperation between Tehran and Beijing, calling for joint training, exercises, research, weapon development, and intelligence sharing. Unlike the agreement between Russia and Iran mentioned above, there is not much mention of cyber cooperation in the China-Iran deal; the only mention of cyberspace is that China has offered to help Iran deploy greater internet censorship. However, given that there is going to be greater collaboration between the two in matters of security and defense, it can definitely be assumed that there will be cybersecurity cooperation and intelligence sharing on cyber threats between the two nations over the next several years. Considering the parameters of this long-term deal, past cooperation between the two nations, future trends of cyberwarfare, and the two’s shared political objectives and animus toward the U.S., I think it is likely that there will be joint cyber activity coming from Tehran and Beijing over the next 25 years — with the U.S. being the prime target.

Iranian cyber attack campaign updates by APT group

MuddyWater

Overview

MuddyWater is an Iran-linked threat group that has primarily targeted governmental entities, telecommunications companies, and IT firms located in the Middle East since at least 2017. From analysis of data and backdoor behaviors, it has been determined that MuddyWater’s motivations are likely information theft and espionage, with the group conducting numerous campaigns aimed at a variety of industries in different countries. The group has been tied to campaigns such as the 2021 Earth Vetala campaign targeting several countries in the Middle East; a hacking campaign publicly attributed to the group by Saudi Arabia in 2017; and campaigns targeting Central Asia in 2018 and Eastern Europe in 2019.

The group primarily relies on publicly available tools for lateral movement, credential theft, and exfiltration, achieving initial access via spearphishing emails with Word attachments containing macros to enable malicious payload delivery. MuddyWater has also continued to utilize and update a group of custom tools, many of which are scripts written in Python or PowerShell. 

Recent Activity

In early 2020, researchers identified a MuddyWater-linked campaign dubbedSummer Mirage.” Based on the content and themes of the observed phishing emails and the attached malicious documents, the campaign may have targeted U.S. entities and the oil and gas sector. The malware used in this campaign also contained some new features, suggesting the group continues to update their preferred POWERSTATS PowerShell Trojan.

In October 2020, researchers at ClearSky identified a campaign targeting multiple Israeli organizations. The group attempted to install a malicious downloader known as PowGoop during this campaign. PowGoop was likely used during another recent intrusion into a Middle Eastern state-run organization in which an unidentified group of threat actors also deployed the Thanos ransomware. This activity suggests the presence of PowGoop may serve as a precursor to ransomware deployment. Separate reporting has also highlighted ongoing MuddyWater campaigns targeting Middle Eastern entities with potential links to the PowGoop malware.

Since MuddyWater has not historically been observed conducting ransomware attacks, researchers speculate that the actual goal of the operation may have been to serve as a de facto destructive attack, akin to the NotPetya attacks of 2017 and those carried out by other Iranian threat actors in the past. The use of ransomware could thus serve to hide the true motivations or culprits behind the attack.

Most recently, in March 2021, an actively ongoing cyberespionage campaign dubbed Earth Vetala was attributed to MuddyWater. Victims of the campaign include entities in the Middle Eastern countries of Israel, Saudi Arabia, the UAE, Bahrain, and Azerbaijan, primarily in the sectors of government, tourism, and academia. Earth Vetala uses phishing emails and lure documents to distribute legitimate remote administration tools, which the threat actors use to interact with the compromised host and download post-exploitation tools that include password-dumping utilities, reverse-tunneling tools, and custom backdoors.

Known Targets Telecommunications, IT, Oil and Gas, NGOs, Tourism, and Academia specifically in the Middle East, along with U.S. entities
Sample TTPs
  • Spearphishing as common initial intrusion vector
  • Use and updating of PowerShell backdoor known as POWERSTATS
  • Use of GitHub to store software tools
  • Weaponization of stolen legitimate documents
  • Use of legitimate file-sharing service (Onehub) to distribute archives containing remote access software (ScreenConnect remote administrator tool and RemoteUtilities software) in order to distribute malware
Also Known As Seedworm, TEMP.Zagros, Static Kitten

 

Charming Kitten

Overview

Charming Kitten is an Iranian cyber espionage group largely known for its targeting of academics, human rights advocates, and members of the international media with a nexus to Iran. Believed to have been active since 2014, the group frequently uses social engineering techniques coupled with evolving technical TTPs to ensnare its victims. Unlike other Iranian cyber actors, Charming Kitten appears to be more focused on gaining information on the specific individuals they target rather than capturing troves of data.

In 2019, the group unsuccessfully targeted email accounts belonging to individuals associated with a U.S. presidential campaign and current and former U.S. government officials. 

Recent Activity

While Charming Kitten has continued to target the same demographic groups, its operators have continued to adapt their tactics and attempted to use new communications platforms to interact with their targets. In the summer of 2020, the group was observed using WhatsApp, LinkedIn, and even calling targets directly on the phone in social engineering campaigns.

Charming Kitten actors have continued to attempt to infiltrate U.S. politics, most recently by accessing the accounts of individuals within the Trump administration and presidential campaign staff between May and June of 2020. In October 2020, the group reportedly targeted attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, disguising themselves as conference organizers and sending fake PDF invitations with malicious links to over 100 invitees of the conferences. In the age of COVID-19, Charming Kitten has taken a marked shift in target and collection priorities, increasingly targeting medical researchers, such as the BadBlood campaign aimed at 25 senior professionals specializing in genetic, neurology, and oncology research in the U.S. and Israel, as well as a campaign targeting the U.S. pharmaceutical company Gilead, which has garnered international media attention for its research on COVID-19 treatments.

Known Targets
  • Dissidents, Diplomats, Human rights activists, Media, Medical researchers, Governmental and military entities, and Energy and Telecommunications sectors predominantly within the Middle East (especially Saudi Arabia) and the U.S.
Sample TTPs
  • Spearphishing as common initial intrusion vector
  • Leveraging fake personas and social media platforms to interact with their targets (Phishing via SMS, WhatsApp, or social media sites)
  • Frequent impersonation of journalists
  • Watering hole attacks using compromised legitimate websites that are relevant to their targeted victims
  • Impersonations of popular online sites (Google, Microsoft, Yahoo) to harvest user credentials
AKA APT35, Ajax, Phosphorus, Newscaster, Rocket Kitten

 

Infy

Overview

Discovered in 2016 with activity stretching back to 2007, Infy is an Iranian state-sponsored APT whose targets include government entities and private companies in Europe, as well as civil society, activists and dissidents, and press in Iran. The targets of Infy’s campaigns strongly align with Iran’s “soft war” agenda and internal security policies, with the group’s campaigns, intrusion attempts, and target compromises overlapping with those of other Iranian APTs.

Following a takedown operation conducted by Palo Alto Networks’ Unit 42 (who also initially discovered Infy), Infy operations wound down until 2017 when an evolution of Infy malware called Foudre (French for “lightning”) was detected. Following a period of downtime, it seems the actors behind Infy were able to regroup, fix previous issues, drastically reinforce their technical proficiency and tooling capabilities, and implement stealth techniques and underlying infrastructure to help them avoid detection.

Recent Activity

Infy has become known for attempted attacks against Iranian civil society starting in late 2014, which increased up to the February 2016 Iranian parliamentary election. After the election concluded, the rate of attempted exploits decreased but did not end. When operations aimed at Iranian civil society subsided, the group appeared to shift its focus to external targets. This includes spearphishing attempts aimed at the Ministry of Foreign Affairs (MFA) of Denmark in 2016, which unmasked a possible six-year attack campaign linked to the group known as Operation Mermaid.

In 2017, Infy activity was observed through the use of a new malware dubbed Foudre, which has numerous versions that have been detected over the past three years. In early 2020, new versions of Foudre emerged in a new attack campaign that includes some key differences from the older versions. Foudre was joined by a second-stage payload called Tonnerre (French for “thunder”) used for persistence, surveillance, and data exfiltration. Though historically the majority of Infy’s victims have been located within Iran, slowly expanding to external entities that Iran has an espionage interest in, this latest campaign strays from Infy’s usual target groups, with victims of Foudre located in Sweden, the Netherlands, the U.S., along with others across Europe, Iraq, and India.

Known Targets Iranian civil society, Activists, Dissidents, and Press; Government entities and private companies in multiple regions, including countries across North America, Europe, and the Middle East
Sample TTPs
  • Distribution of specifically crafted malicious documents containing Infy malware through spearphishing attacks
  • Use of keylogger malware with a failover C2 communication system
  • Use of RSA signature verifying algorithm to check the veracity of a C2 domain
  • Watering hole attacks using compromised legitimate websites that are relevant to their targeted victims
AKA Prince of Persia, Foudre, Operation Mermaid

 

OilRig

Overview

The OilRig group has been a prolific threat actor within the Middle East for several years. OilRig has primarily targeted Middle Eastern organizations, but has also on occasion targeted those outside the region, including the United States. The group is assessed to be operating on behalf of the Iranian government based on technical indicators and targeting patterns that closely align with Iranian interests.

The group’s tactics have continued to evolve over time. OilRig has used a combination of proprietary malware, customized versions of publicly available hack tools, and “off the shelf” software. Social engineering has featured prominently in many of their campaigns, with the group leveraging social media platforms and masquerading as Western universities on multiple occasions.

OilRig has been known to utilize LinkedIn and to impersonate legitimate institutions, like Cambridge University, to deliver malicious ‘job opportunity’ documents, such as in its DNSpionage campaign aimed at Middle Eastern government entities and private companies in 2018 and its HardPass operation (TONEDEAF) targeting government, energy and utilities, and oil and gas sectors in 2019. Since the leak of OilRig’s tools in 2019, the group has been actively updating their payload arsenal and retooling to avoid detection, creating multiple different malware variants with the same purpose as always: to gain an initial foothold on targeted devices.

While reusing old techniques and maintaining its modus operandi, OilRig continues to build new and updated malware in an effort to minimize detection. The group shows no signs of slowing down, using offensive cyber operations to further promote its political agenda in the Middle East, with an ongoing focus on Lebanon.

Recent Activity

Spring 2020 witnessed OilRig incorporate new tactics into their operations, with researchers noting the use of both the DNS-over-HTTPS protocol and email attachments containing steganography for covert communication channels. Telecommunications companies have been among the group's recent targets, which falls in line with the group’s historical focus on espionage enablement.

The group’s malware toolset has continued to evolve; a modified version of the TONEDEAF backdoor was used in early 2020 during a campaign imitating a U.S. professional services company known to contract with the U.S. government. 2020 also saw OilRig linked to another destructive wiper malware dubbed ZeroCleare, which was used in an attack against organizations within the energy and industrial sectors in the Middle East.

Most recently, OilRig employed a new backdoor variant — dubbed SideTwist — against what appears to be a Lebanese target in a campaign discovered by researchers at Checkpoint in April 2021. In this latest campaign, OilRig utilizes job opportunity documents containing malicious macros with DNS tunneling that executes the payload and establishes persistence as an initial intrusion vector, similar to its previous operations. The second stage payload, SideTwist, has not been seen before in OilRig operations, though its functionality, which includes download, upload, and shell command execution, is similar to other backdoors the group has employed in past campaigns (e.g. DNSpionage and TONEDEAF).

Known Targets

Government agencies, Financial institutions, and Public utilities, as well as Energy, Telecommunications, and Oil and Gas sectors primarily in the Middle East (especially Lebanon and the UAE)

Sample TTPs

  • Use of malicious job opportunity documents as lures to deliver malware (often using social media as an initial delivery mechanism)
  • Spearphishing and social engineering
  • DNS exfiltration, using both custom-built and open-source software tools
  • Extensive use of DNS tunneling for command and control (C2)
  • Email-based C2 using Exchange Web Services and steganography to insert data and commands into image files attached to emails
  • Credential harvesting and use of compromised accounts

Also Known As

APT34, GreenBug, Helix Kitten, IRN2, ITG13

 

APT33

Overview

APT33 has been operating since at least 2013, targeting Iranian adversaries in the commercial and governmental sectors in Saudi Arabia and the United States, among others, in several attack campaigns. The group has been observed using both advanced custom malware and publicly available hacking tools to target sectors such as aviation and petrochemical production. Often conducting multi-staged attacks using weaponized documents, domains resembling legitimate business services, and PowerShell backdoors, APT33 has strong links to Iranian government entities based on the group’s selection of targets and technical indicators that link its online persona to an Iranian cyber institute.

In 2018, researchers at McAfee asserted that APT33 (or a group masquerading as them) was likely responsible for the 2012, 2016, and 2018 Shamoon attacks, as the TTPs used during the multiple waves of attacks closely match domains and tools commonly used by APT33. Notably, APT33 has been linked to destructive wiper malware more than once. The extremely destructive Shamoon malware that is designed to wipe victim systems by overwriting information with garbage data overlaps with the Stonedrill/SHAPESHIFT wiper, which was also used in 2016 to target organizations in Saudi Arabia [PDF].

Recent Activity

In late 2019, researchers at TrendMicro detailed activity attributed to APT33 in which the group established very narrowly targeted botnets to exploit their intended victims. This campaign appeared to follow previous APT33 patterns, as victims included U.S. private companies and universities, U.K. and European oil companies, and several victims in the Middle East and Asia. The campaign included phishing emails designed to impersonate known aviation, oil, and gas companies, which likely served as an initial infection vector. The APT33 actors also went to great lengths to obfuscate their infrastructure, using a series of bot controllers, VPNs, and cloud-hosted proxies to hide their activities.

Though not many large-scale attacks have been attributed to APT33 in 2020-2021, the cybersecurity company HYAS has observed typical APT33 domain registrations continuing in 2020 and has identified a number of domains that were registered using TTPs that had been previously associated with APT33, indicating that the group may still be active in its operations.

Known Targets

Aviation, Manufacturing and Engineering, Energy, and Petrochemical sectors in the United States, Saudi Arabia, and South Korea

Sample TTPs

  • Spearphishing as a frequent initial intrusion vector
  • Brute-force and password-spraying attacks
  • Use of destructive drive-wiping malware
  • Leveraging botnets, private VPNs, and cloud-hosted proxies to enhance obfuscation and operational security
  • Multi-staged attacks using weaponized documents, known productivity software vulnerabilities, and PowerShell backdoors, often launched from domains resembling legitimate business services

Also Known As

Elfin, Magnallium, Holmium, and Refined Kitten

 

Chafer

Overview

Active since at least 2015 and particularly busy in 2017, Chafer is an Iran-linked threat group that has predominantly focused on the theft of data and personal information from targets across multiple sectors and nations in the Middle East, as well as in the U.S. Chafer’s focus on the travel and telecommunications industries suggests that the group’s intent may be to perform tracking and surveillance of end-users, to collect propriety or customer data for Iranian national interests, or to establish initial accesses and vectors for follow-on operations. The group’s targeting of government entities also suggests a possible secondary intent to collect geopolitical information that may benefit Iranian decision-making.

In early attacks, Chafer operators were observed obtaining initial access via SQL injection attacks against internet-facing web servers. However, more recent campaigns document the use of spearphishing emails with malicious attachments, such as Excel files. Historically, the group’s C2 domains have masqueraded as legitimate Windows update service domains.

Multiple researchers have noted potential overlaps with OilRig, both in terms of shared C2 IPs and code overlaps. As is the case with many of the groups detailed here, such overlap amongst campaigns is likely inevitable, as the individuals behind them may share information, infrastructure, or intelligence requirements over time.

Recent Activity

In the spring of 2020, researchers at Bitdefender identified campaigns perpetrated by Chafer that targeted air transportation and government entities in Saudi Arabia and Kuwait during 2018 and 2019. These campaigns appear to fall very much in line with previously reported Chafer activity — both in terms of the countries and sectors targeted and the continued interest in gathering intelligence and surveillance data on historic Iranian adversaries.

In September 2020, the U.S. Department of the Treasury announced sanctions against Chafer, 45 associated Iranian nationals, and a front company named Rana Intelligence Computing Company based on links to the Iranian Ministry of Intelligence and Security (MOIS). The Treasury Department specifically tied these sanctions to malicious campaigns conducted by Chafer targeting “Iranian dissidents, journalists, and international companies in the travel sector.” The U.S. FBI also released a technical alert around the same time detailing a variety of malware known to be used by the group.

Known Targets

Telecommunications, Aviation, IT, and Travel sectors, as well as Government entities, across several regions with a concentration on the Middle East

Sample TTPs

  • Spearphishing using malicious hyperlinks or attachments
  • Leveraging of domains resembling legitimate web services and businesses relevant to intended target
  • SQL injection attacks via front-end web servers
  • Use of custom backdoors (Remexi) combined with publicly available software tools
  • Exploitation of targets’ vulnerable web servers to install webshells (such as ASPXSPY and ANTAK) and use of stolen legitimate credentials to compromise externally facing OWA (Outlook Web Access) resources

Also Known As

APT39, Remix Kitten

 

Pioneer Kitten

Overview

Active since at least 2017, Pioneer Kitten is an Iranian-linked APT focused primarily on gaining and maintaining access to entities with sensitive data of intelligence interest to Iran. The group’s modus operandi is characterized by reliance on exploits of virtual private networks (VPN) and remote external services on internet-facing web servers as well as a near-complete dependence on open-source tooling for operations. Pioneer Kitten employs an opportunistic model and has been known to target North American and Israeli entities in the sectors of technology, government and defense, health care, aviation, finance, and telecommunications. In July 2020, Pioneer Kitten was found advertising access to compromised networks on an underground forum — possibly in an attempt at revenue stream diversification to support its targeted intrusions.

Recent Activity

Between late 2019 and summer 2020, multiple sources described intrusion activity attributed to Iranian state-sponsored cyber operators who were leveraging recently publicized vulnerabilities in popular VPN services such as Pulse Secure, Fortinet, and Palo Alto's GlobalProtect. Researchers at ClearSky released a report [PDF] on these operations in early 2020, stating that this campaign, dubbed Fox Kitten, has likely been active since 2017 and noting it to be “among Iran’s most continuous and comprehensive campaigns revealed until now.” The campaign’s victims span over a wide range of countries and industries, including the IT, telecommunications, oil and gas, aviation, government, and security sectors. The Fox Kitten Campaign’s infrastructure overlaps with the activity of several Iranian threat groups (APT33/Elfin, APT34/OilRig, and APT39/Chafer), and the campaign appears focused on establishing initial footholds within the victim networks, frequently relying on SSH tunneling to maintain persistence within those networks.

In September 2020, CISA and the FBI corroborated these findings, releasing a technical alert attributing the successful exploitation of VPN infrastructure to the group and mapping the group’s tactics, techniques, and procedures (TTP) to the MITRE ATT&CK Framework. While not explicitly naming the ties to Pioneer Kitten, CISA had released an earlier alert in July 2020 warning of the ongoing exploitation of vulnerabilities within F5 BIG-IP infrastructure, another TTP that has been used by the group.

Known Targets

IT, Telecommunications, Healthcare, Financial, Media, Oil and Gas, Aviation, Government, and Security sectors in the Middle East and United States

Sample TTPs

  • Exploitation of VPNs and other network appliances
  • Use of SSH tunneling to facilitate RDP (Remote Desktop Protocol) access to victims
  • Use of custom, open-source, and legitimate native software tools
  • Sale of access to compromised systems and networks on underground forums

Also Known As

Fox Kitten, PARISITE [sic], UNC757

 

Final thoughts about Iranian cyber attack landscape

The past decade has seen the Iranian government demonstrate a strong willingness to use the cyber realm as a weapon for retaliation, rapidly adopting cyberspace operations as a primary tool of national power for means of intelligence collection and espionage. The number of Iranian cyber attack campaigns documented by the cybersecurity community in just the past two years illustrates the significant volume of operations being carried out at the direction of the regime’s political and military leadership, which is particularly notable given the possibility that there are additional, ongoing intrusions that have not yet been detected or documented in the public sphere.

As is almost always the case when discussing state-sponsored threats, the enterprises being victimized by Iranian hackers often lack the tools and information to systematically and effectively counter these adversaries. The growth in volume and sophistication exhibited by Iranian cyber operators suggests that the threat from these groups is continuing to accelerate. In addition to Iran’s latest partnerships with Russia and China, which will very possibly lead to improved offensive and defensive cyber capabilities for Iran, countering such threats calls for new and innovative forms of defense.

There is a greater need for the U.S. and its allies to share vulnerabilities and threats with each other and vendors to collectively defend against increasingly sophisticated cyber attacks. IronNet’s revolutionary Collective Defense approach enables nations and enterprises to defend against emerging threats in real-time as a unified front, more effectively addressing advanced cybersecurity threats on a more holistic, global level. Cyber attacks are oftentimes not isolated incidents, and nation-state threat actors frequently target communities with the same pattern of behavior, escalating an attack through the phases of the Cyber Kill Chain. As the nations who most often target U.S. entities in cyberattacks collaborate to improve their capabilities, IronNet’s Collective Defense approach and state-of-the-art IronDome — designed to send automated alerts of malicious events to the community at a speed faster than human communications — are becoming increasingly necessary to detect large-scale attacks (e.g. SolarWinds) and to prevent hacking tools from being repurposed against multiple targets.