In mid-summer of 2022, Albania accused the Iranian government of targeting them with a series of major cyberattacks. The attacks, which targeted government servers and online portals, raised alarms about the increasing expertise and audacity of Iranian-sponsored advanced persistent threat (APT) actors. Although many specifics about the attacks are still unknown, the FBI and other international observers believe that the Iranian government first breached the networks of the Albanian government by using phishing emails and malware as early as 14 months before launching the full attack. After gaining access, the attackers were able to penetrate deeper into the systems to obtain sensitive information and cause disruption to government operations.

Unlike regular threat actors, who tend to randomly target any organization with vulnerabilities they can exploit, Advanced Persistent Threat (APT) actors carry out  sustained cyber attacks against a specific organization or target. They are usually more well-funded, patient, and persistent than other types of attackers and have a specific, political goal in mind.

Iran's Cyber Ambitions

This was not the first time that Iranian-sponsored advanced persistent threat (APT) actors have been accused of carrying out cyberattacks against foreign governments. They have previously been connected to similar attacks against the US, Saudi Arabia, and Israel, among other countries. They have also been observed conducting cyber espionage and other malicious operations, targeting a range of government and private-sector organizations in the areas of telecommunications, national defense, local governments, and oil and natural gas companies.

However, the cyber attack on Albania illustrates a growing trend of hostile nation-states, and Iran in particular, of utilizing cyberattacks as a strategic weapon against their declared enemies. What characterizes Iran’s cyber capabilities is that though they have still not reached the level of sophistication as some other major offensive nations, they possess the capability to inflict harm on their adversaries. Iranian cyber threat actors are continually enhancing their cyber arsenal of means and methods and their attacks are clearly aimed at causing tangible damage and inflicting harm.

Using Cyber Warfare To Increase Regional Political Dominance

Iran's state-sponsored cyber activities are primarily driven by their international political objectives. In this regard, Iran has three main strategic objectives:

Maintaining the stability of the regime. By surveilling almost all of the incoming internet traffic, and practicing censorship against a wide range of online websites, Iran aims to keep close watch on domestic and foreign political opponents.

Increasing regional influence - Iran has long been using military and paramilitary groups in other countries as proxies to advance its military objectives. Since the invention of nuclear weapons, as direct military conflicts between major powers became risky, Iran has used groups such as Hezbollah and Houthi to strengthen its’ reasonable power while avoiding direct engagement. Cyber attacks are becoming another means of accomplishing the same goals.

Modernizing its key sectors - Iran has an arsenal of APTs at its disposal that carry out economic espionage operations to obtain foreign technologies, and knowledge. Furthermore, Iran conducts espionage operations that are focused on gathering strategic intelligence from foreign governmental, military, scientific and economic institutions that can benefit the Iranian government.

Iranian APT Groups

There are a number of different APT groups that have been labeled as nation-state actors working on behalf of Iran. According to experts, these groups have been identified by cyber forensic experts who have found similarities in the groups’ methods of attack, targeted industries, repeating code, and other elements. Many have not identified themselves or claimed direct credit for their attacks

Below is an outline of some of the top believed Iranian threat actors and their threat to OT.

APT33 - Refined Kitten

Refined Kitten (also known as Elfin, Magnalium, Holmium) was the first Iranian threat actor group to be identified. Their focus is on oil & gas and aviation industries with a goal of interrupting supply chains. This group often uses spear phishing emails as an initial way to breach a system.

  • Active since: 2013
  • Targets: Multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
  • Tools used: Empire, Mimikatz, LaZagne

APT34 - OilRig

OilRig (also known as Helix Kitten and Cobalt Gypsy) breached Jordanian government servers in 2022 using a macro delivered in an Excel spreadsheet that created a backdoor into their network.

  • Active since: 2014
  • Targets: The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications.
  • Tools used: Net, Mimikatz, LaZagne, netstat, PsExec

APT35 - Charming Kitten

Charming Kitten (aka Phosphorus) was one of the first APT groups to exploit the Log4J vulnerability in attacks targeting institutions in the Middle East. They also used a relatively new tool called Hyperscrape to extract victim’s emails from their inboxes.

  • Active since: 2014
  • Targets: The group has targeted multiple industries, such as military, government, media, energy, defense, engineering, and telecommunications.
  • Tools used: Mimikatz

APT39 - Remix Kitten

Remix Kitten (aka Chafer) frequently targets the travel and hospitality industries. In 2020, the United States government sanctioned  the Rana Intelligence Computing Company which they claimed was a front for APT39.

  • Active since: 2014
  • Targets: The travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.
  • Tools used: Mimikatz, PsExec, CrackMapExec

Fox Kitten

Fox Kitten is believed to be a meta-APT comprised of Refined Kitten and OilRig working together to target multiple industrial sectors by exploiting VPN vulnerabilities. 

  • Active since: 2017
  • Targets: The group has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.
  • Tools used: PsExec

StaticKitten

Static Kitten (aka Muddy Water) have recently been observed using a malware strain called PowGoop, delivered via .zip file to penetrate a wide range of organizations and sectors.

  • Active since: 2017
  • Targets: The group has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors.
  • Tools used: CrackMapExec, Empire, LaZagne, Mimikatz

Tools and Techniques Most Commonly Used By Iranian APTs

Tools:

  1. Mimikatz – Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
  2. Net – The Net utility is a component of the Windows operating system, which can be useful for an adversary, such as gathering system and network information for discovery, moving laterally through SMB/Windows admin shares, and interacting with services.
  3. PsExec – PsExec is a tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.
  4. Empire – Empire is a post-exploitation tool and was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.
  5. LaZagne – LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system.

Exploited Vulnerabilities:

  1. Log4Shell – Iranian APTs were observed exploiting Log4Shell in their attacks, a known zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.
  2. ProxyShell and ProxyLogon – these Microsoft Exchange Server vulnerabilities were exploited for initial access as part of the attack chain carried out by Iranian APTs.
  3. Fortinet FortiOS – these vulnerabilities were also exploited for initial access.

SCADAfence Recommends

SCADAfence's security research team is constantly tracking international cyber events and incidents, analyzing them, and enhancing the SCADAfence platform to ensure it is able to detect similar events.

  • The SCADAfence Platform detects the use of SMB, RDP, FTP, LDAP, HTTP, HTTPS, and WMI, used by Iranian APT groups for spreading across the network.
  • The Platform also detects various tools and vulnerabilities used by Iranian APTs, attacks and malware such as: Metasploit modules, Remote Services, Remote Scheduled Tasks, OS Credential Dumping (Mimikatz), BITSAdmin and SMB brute-force.
  • The Platform provides an up to date reputation service to track malicious files, IPs and domains associated with Iranian APTs and malware.

To see the SCADAfence Platform in action for yourself, request a demo.