We take a look at the underestimated threat posed by Iran’s state-sponsored hacking groups
Iranian threat actors supported by the state are often perceived as uneducated, but security experts are questioned The daily sip warned it would be unwise to underestimate the danger the country poses in cyberspace.
The main goals of government sponsored Iranian espionage are to target organizations in various industries around the world and dissidents or those labeled as enemies of Iran.
How do Iranian threat actors compare to groups elsewhere in the world?
Iranian hackers backed by the state are generally considered to be less advanced than their well-resourced counterparts in Russia or China.
Iranian attackers rarely exploit zero-day vulnerabilities, but what they lack in technical sophistication, they make up for with social engineering tricks.
For example, you invest significant efforts in developing sophisticated social engineering personas on LinkedIn and elsewhere to convince potentially suspicious targets to open malicious links or attachments.
Cyber ââoperations attributed to Iran have a wide range of capabilities, according to threat intelligence experts.
Emiel Haeghebaert, Associate Analyst at Mandiant Threat Intelligence, commented:
At the lower end of the competence spectrum, Iran has a large hacker community that is active in underground forums. Some of its members are conducting politically motivated, disruptive operations such as distributed denial-of-service attacks against Iranian opponents in the Middle East, which are generally considered to be under-sophisticated.
Meanwhile, middle-level agents are targeting the Iranian diaspora and monitoring internal opposition groups.
âThese operations are typically based on social engineering through spear phishing or text messaging, and generally follow a predictable pattern of tactics, techniques, and procedures. [TTPs]â, Says Heghebaert.
CONNECTED Behind the great firewall: Chinese cyber espionage is adapting to the post-Covid world with more secret attacks
At the higher end of the scale, “longtime threat actors like APT34 are consistently developing custom malware and using more advanced techniques to compromise their targets, including DNS hijacking and known web exploits,” he added.
Threat actors attributed to Russia or China generally have more advanced techniques and better operational security than groups attributed to Iran, according to Mandiant.
âHowever, this does not necessarily mean that the Iranian APT [advanced persistent threat] Groups are unsuccessful, âwarned Mandiant’s Heghebaert.
Iranian cybercrime operations “typically rely on social engineering and generally follow a predictable pattern”
Rafe Pilling, Senior Information Security Researcher at Secureworks, agreed that while Iran maintains a competent and effective cyber threat profile, it does not match the capabilities of China and Russia.
“There is a wide range of sophisticated Iranian threat groups, some comparable to lower-priced commercial red teams and others who develop and deploy reasonable quality novel malware and exercise caution and care on a network,” Pilling said The daily sip.
“We generally don’t see zero-day exploits used by Iranian groups, although there is a history of using SQL injection attacks and web exploits successfully,” he added.
Find out about the latest cyber war news
Iranian threat groups have proven adept at quickly leveraging freshly released exploit code on recently exposed vulnerabilities.
“VPN, Citrix and RDP vulnerabilities from the last few years were preferred,” said SecureWorks.
Iranian cyber espionage campaigns are often delivered via spear phishing emails that mislead the target of downloading armed documents or backdoor mobile applications to spy on rather than exploiting vulnerabilities on the devices themselves.
“In addition, the analysis of the mobile tools used by these groups suggests that they rely heavily on open source or leaked code,” said Justin Albrecht, security intelligence engineer with mobile security specialist Lookout.
âMuch of the malware we’ve analyzed in connection with Iranian APTs has full RAT functionality, but it lacks many of the modern elements that are becoming increasingly popular with malware developers, such as accessibility services abuse, heavy obfuscation, and security the use of packers. Nevertheless, our studies show that their methods based on exfiltrated victim data are successful. “
How are Iranian threat groups developing?
Iran began investing heavily in its cyber operations program in 2010 following the Stuxnet attack (malware that sabotages the machinery that sabotages nuclear enrichment centrifuges) in 2010.
Heghebaert from Mandiant stated:
Iranian cyber operations began as slight defacements, often carried out by the Iranian Cyber ââArmy. However, as the government and military cyber programs matured, we began to observe more advanced activity in line with Iran’s strategic priorities.
Groups like TEMP.Zagros have recently performed operations using only publicly available tools, while their historical operations have been based on a few select custom malware families and malicious macro documents, suggesting an increased diligence in operational security.
We believe Iran invested heavily in its cyber operations program following the discovery of Stuxnet in 2010, and we can follow developments from there.
At the same time, however, we have seen some evidence that Iran is conducting more aggressive operations aimed at disrupting the networks and day-to-day operations of its targets, including through ransomware.
Kevin Livelli, Director of Threat Intelligence at RiskIQ, said Iranian attackers had “diversified their TTPs” to make it difficult to identify and attribute their campaigns.
“They’re moving away from custom code and backdoors to built-in, ‘land-living’ techniques and leveraging compromised user credentials,” said Livelli.
RECOMMENDED A Guide to Spear Phishing – How to Protect Yourself from Targeted Attacks
Iran has in the past carried out cyber attacks by proxy organizations or created fake group personalities in order to carry out attacks and take responsibility for them – for example the group “Cutting Sword of Justice”, which was responsible for the Shamoon wiper malware attacks in 2012 take over.
“There is also evidence that Iranian groups are carrying out destructive attacks in the Middle East under the guise of ransomware operations using malware such as Thanos, Pay2Key and N3tw0rm,” said Secureworks.
There is evidence of the increasing use of standard technology as well as the mastery of native operating system applications.
“Legitimate software is a problem for defenders because it can blend in with the routine noise of any network,” said Sean Nikkel, senior threat intelligence analyst at Digital Shadows The daily sip.
How are Iranian threat actors organized?
Iran’s primary cyber operations are carried out by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) along with associated contractors and bogus companies.
The IRGC is a powerful paramilitary organization believed to be responsible for disruptive and destructive attacks. The MOIS is a civil intelligence service that focuses on the secret acquisition of information.
Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, said The daily sip: âIRGC and MOIS employees often outsource attacks to non-employees, including Iranian hacktivists and criminals recruited through coercion, compensation, or both.
“Some Iranian threat groups act almost like companies that sell compromised data to Iranian public sector organizations or have organized themselves as ‘institutes’.”
Dozens of high profile cyberattacks have been attributed to various Iranian state-sponsored threat groups
Which countries and organizations are attacked by Iranian attackers?
Government agencies and defense companies are the main targets for Iranian threat actors as successful break-ins can provide political and military information as well as high-quality intellectual property.
According to threat intelligence firm IntSights, four countries stand out as prime targets for government-sponsored Iranian attacks: the US, Israel, Saudi Arabia and the United Arab Emirates.
CONNECTED Russian cyber criminals used Iranian hacking tools to attack dozen of countries
“The US and Israel are top targets because of their longstanding hostile relations with the current Iranian government, which stem from their support for the former Iranian monarchy and continue to this day with their efforts against the Iranian nuclear program,” commented Prudhomme of IntSights.
âSaudi Arabia is another major regional enemy of Iran due to a variety of political, economic, sectarian and ethnic factors, including its involvement in a regional proxy war in Yemen.
“The UAE is a destination because of a wider range of factors including diplomatic and economic tensions, the role of Dubai and Abu Dhabi as global business and transportation hubs and the presence of many Iranian expatriates in the UAE,” he added.
Which cyber attacks are attributed to Iran?
Disruption and destruction have been hallmarks of government sponsored Iranian attacks since 2012-2013.
âThe shamoon wiper malware attacks on the national oil and gas companies of Saudi Arabia and Qatar have set a precedent for future wiper malware attacks in this sector, particularly in Persia [Arabian] Gulf, in the following years, âsaid Prudhomme.
“Government-sponsored Iranian actors have also targeted water infrastructure, from the industrial control systems (ICS) of New York’s Bowman Dam in 2013 to a series of attacks on Israeli water infrastructure in 2020.”
Other attacks attributed to Iranian groups are DDoS attacks against Western banks in 2012 and 2013, sometimes known as “OpAbabil”.
Attacks on Western universities aimed at stealing research have been blamed on Iranian institutions and Iranian suspects were named in a 2018 U.S. Department of Justice indictment.
In 2020, Iranian cyber espionage groups also targeted the US presidential election.
More recently, Iranian threat actors have actively taken action against firewall and VPN exploits.
âAutomated mass scanning leads to the use of webshells,â says Secureworks. “The threat actor will then use the webshell to manually search the victim network later and take further action if the target is of interest.”
YOU MIGHT LIKE IT TOO “Sophisticated Threat Actor” targets Zyxel firewalls and VPNs