We take a look at the underestimated threat posed by Iran’s state-sponsored hacking groups
Iranian state-sponsored threat actors are often perceived to be unsophisticated, but security experts quizzed by The Daily Swig warned it would be unwise to underestimate the danger the country poses in cyberspace.
The main objectives of Iranian state-sponsored espionage are to target organizations in multiple industries across the world and dissidents or those tagged as enemies of Iran.
How do Iranian threat actors compare to groups elsewhere in the world?
Nation state-backed Iranian hackers are generally considered to be less advanced than their well-resourced counterparts in Russia or China.
Iranian attackers may rarely exploit zero-day vulnerabilities, but what they lack in technical sophistication they make up for in social engineering trickery.
For example, they are known to invest considerable effort in developing more elaborate social engineering personas on LinkedIn and elsewhere in order to persuade potentially suspicious targets to open malicious links or attachments.
Cyber operations attributed to Iran display a wide range of skill levels, according to threat intelligence experts.
Emiel Haeghebaert, associate analyst at Mandiant Threat Intelligence, commented:
On the lower end of the skills spectrum, Iran has a large community of hackers active on underground forums. Some of their members engage in politically motivated, disruptive operations such as distributed denial of service attacks, generally considered to be rather unsophisticated, against Iran's adversaries in the Middle East.
Meanwhile, mid-level operators target the Iranian diaspora and conduct surveillance of internal opposition groups.
“These operations typically rely on social engineering through spear-phishing or SMS messages, and generally follow a predictable pattern of tactics, techniques, and procedures [TTPs],” according to Heghebaert.
At the upper end of the scale, “longstanding threat actors like APT34 consistently develop custom malware and use more advanced techniques to compromise their targets, including DNS hijacking and known web exploits”, he added.
Threat actors attributed to Russia or China generally display more advanced techniques and better operational security than groups attributed to Iran, according to Mandiant.
“This does not necessarily imply, however, that Iranian APT [advanced persistent threat] groups are unsuccessful,” Mandiant’s Heghebaert cautioned.
Iranian cybercrime operations ‘typically rely on social engineering and generally follow a predictable pattern’
Exercise caution
Rafe Pilling, senior information security researcher, Secureworks, agreed that although Iran maintains a competent and effective cyber threat profile, it falls short of Chinese and Russian capabilities.
“There is a spectrum of sophistication from Iranian threat groups, with some on par with low-end commercial red teams and others that develop and deploy novel malware of reasonable quality and exercise caution and diligence when in a network,” Pilling told The Daily Swig.
“We tend not see zero-day exploits used by Iranian groups, although there has been a history of using SQL injection attacks and web exploits to good effect,” he added.
Catch up on the latest cyber-warfare news
Iranian threat groups have proved adroit at quickly embracing freshly published exploit code for recently disclosed vulnerabilities.
“VPN, Citrix, and RDP vulnerabilities from the last couple of years have been favoured,“ according to SecureWorks.
Iranian cyber-espionage campaigns are often delivered via spear-phishing emails, deceiving the target to download weaponised documents or backdoored mobile applications to spy on them, rather than exploiting vulnerabilities on the devices themselves.
“Additionally, analysis of the mobile tooling used by these groups suggests a heavy reliance on open source or leaked code,” according to Justin Albrecht, security intelligence engineer at mobile security specialist Lookout.
“Much of the malware we’ve analyzed tied to Iranian APTs feature full RAT capabilities, however they lack many of the modern elements growing in popularity amongst malware developers such as the abuse of Accessibility Services, heavy obfuscation, and packer use. Despite this, our research indicates that their methods are successful based on exfiltrated victim data.”
How are Iranian threat groups evolving?
Iran started heavily investing in its cyber operations program following the Stuxnet attack (malware that sabotaged the machinery running nuclear enrichment centrifuges) in 2010.
Mandiant’s Heghebaert explained:
Iranian cyber operations started as low-level defacements often conducted by the ‘Iranian Cyber Army’. As the government and military cyber programs matured, however, we started observing more advanced activity in line with Iran's strategic priorities.
Groups like TEMP.Zagros have recently conducted operations using only publicly available tools, whereas their historic operations relied on a select few custom malware families and malicious macro documents, indicating increased diligence for operational security.
We believe that Iran started heavily investing in its cyber operations program following the discovery of Stuxnet in 2010, and we can track the evolution from there.
Simultaneously, however, we have seen some indication that Iran is conducting more aggressive operations designed to disrupt their target's networks and day-to-day operations, including through ransomware.
Kevin Livelli, director of threat intelligence at RiskIQ, said Iranian attackers have “diversified their TTPs” to make the identification and attribution of their campaigns more difficult.
“They are moving away from custom code and backdoors in favour of built-in, ‘living off the land’ techniques and leveraging compromised user credentials,” Livelli said.
RECOMMENDED A guide to spear-phishing – how to protect against targeted attacks
Iran has a history of conducting cyber-attacks through proxy organizations or creating fake group personas to conduct and claim responsibility for attacks – for example, the ‘Cutting Sword of Justice’ group that claimed responsibility for the 2012 Shamoon wiper malware attacks.
“There are also indications that Iranian groups are conducting destructive attacks in the Middle East under the guise of ransomware operations using malware including Thanos, Pay2Key, and N3tw0rm,” according to Secureworks.
There’s evidence of the growing use of off-the-shelf technology as well as proficiency with native operating system applications.
“Legitimate software poses a problem to defenders because it may blend in with any network’s routine operational ‘noise’,” Sean Nikkel, senior threat intelligence analyst at Digital Shadows, told The Daily Swig.
How are Iranian threat actors organized?
Iran’s primary cyber operations are conducted by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), along with affiliated contractors and front companies.
The IRGC is a powerful paramilitary organization that’s said to be responsible for disruptive and destructive attacks. The MOIS is a civilian intelligence service focusing on the clandestine acquisition of intelligence.
Paul Prudhomme, head of threat intelligence advisory at IntSights, told The Daily Swig: “IRGC and MOIS employees often outsource attacks to non-employees, including Iranian hacktivists and criminals that they have recruited via coercion, compensation, or both.
“Some Iranian threat groups operate almost as businesses that sell compromised data to Iranian public sector organisations or have organized themselves as ‘institutes’.”
Dozens of high-profile cyber-attacks have been attributed to various Iranian state-backed threat groups
What countries and organizations are being targeted by Iranian attackers?
Government agencies and defense contractors are top targets for Iranian threat actors because successful breaches can yield political and military intelligence, along with high-value intellectual property.
According to threat intel firm IntSights, four countries stand out as prime targets for state-sponsored Iranian attacks: the US, Israel, Saudi Arabia, and the UAE.
RELATED Russian cybercrooks co-opted Iranian hacking tools to attacks dozens of countries
“The US and Israel are top targets due to their longstanding adversarial relationships with the current Iranian government dating back to their support for the former Iranian monarchy and persisting into the present day with their efforts against Iran’s nuclear program,” IntSights’ Prudhomme commented.
“Saudi Arabia is another chief regional adversary of Iran due to a variety of political, economic, sectarian, and ethnic factors, including their participation in a regional proxy war in Yemen.
“The UAE is a target due to a wider range of factors, including diplomatic and economic tensions, the roles of Dubai and Abu Dhabi as global business and transportation hubs, and the presence of many Iranian expatriates in the UAE," he added.
What cyber-attacks have been attributed to Iran?
Disruption and destruction have been hallmark features of state-sponsored Iranian attacks since 2012-2013.
“The Shamoon wiper malware attacks on the national oil and gas companies of Saudi Arabia and Qatar set a precedent for future wiper malware attacks on that sector, primarily in the Persian Gulf, in subsequent years,” according to Prudhomme.
“State-sponsored Iranian actors have also targeted water infrastructure, beginning with the industrial control systems (ICS) of New York’s Bowman Dam in 2013, and more recently in a series of attacks on Israeli water infrastructure in 2020.”
Other attacks attributed to Iranian groups include DDoS attacks against western banks in 2012 and 2013, sometimes known as ‘OpAbabil’.
Attacks against Western universities geared towards stealing research were blamed on Iranian entities and Iranian suspects were named in a 2018 US DoJ indictment.
In 2020, Iranian cyber espionage groups also targeted the US presidential election.
More recently, Iranian threat actors have been active in targeting firewall and VPN exploits.
“Automated mass scanning leads to the deployment of webshells,” according to Secureworks. “The threat actor will then use the webshell to manually triage the victim network later and conduct further activity if the target is of interest.”
YOU MIGHT ALSO LIKE ‘Sophisticated threat actor’ targeting Zyxel firewalls and VPNs
