Analysis Of The Iranian Cyber Attack Landscape - IronNet

Known Targets	Telecommunications, IT, Oil and Gas, NGOs, Tourism, and Academia specifically in the Middle East, along with U.S. entities
Sample TTPs	Spearphishing as common initial intrusion vector Use and updating of PowerShell backdoor known as POWERSTATS Use of GitHub to store software tools Weaponization of stolen legitimate documents Use of legitimate file-sharing service (Onehub) to distribute archives containing remote access software (ScreenConnect remote administrator tool and RemoteUtilities software) in order to distribute malware
Also Known As	Seedworm, TEMP.Zagros, Static Kitten

Charming Kitten

Overview

Charming Kitten is an Iranian cyber espionage group largely known for its targeting of academics, human rights advocates, and members of the international media with a nexus to Iran. Believed to have been active since 2014, the group frequently uses social engineering techniques coupled with evolving technical TTPs to ensnare its victims. Unlike other Iranian cyber actors, Charming Kitten appears to be more focused on gaining information on the specific individuals they target rather than capturing troves of data.

In 2019, the group unsuccessfully targeted email accounts belonging to individuals associated with a U.S. presidential campaign and current and former U.S. government officials.

Recent Activity

While Charming Kitten has continued to target the same demographic groups, its operators have continued to adapt their tactics and attempted to use new communications platforms to interact with their targets. In the summer of 2020, the group was observed using WhatsApp, LinkedIn, and even calling targets directly on the phone in social engineering campaigns.

Charming Kitten actors have continued to attempt to infiltrate U.S. politics, most recently by accessing the accounts of individuals within the Trump administration and presidential campaign staff between May and June of 2020. In October 2020, the group reportedly targeted attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, disguising themselves as conference organizers and sending fake PDF invitations with malicious links to over 100 invitees of the conferences. In the age of COVID-19, Charming Kitten has taken a marked shift in target and collection priorities, increasingly targeting medical researchers, such as the BadBlood campaign aimed at 25 senior professionals specializing in genetic, neurology, and oncology research in the U.S. and Israel, as well as a campaign targeting the U.S. pharmaceutical company Gilead, which has garnered international media attention for its research on COVID-19 treatments.

Known Targets	Dissidents, Diplomats, Human rights activists, Media, Medical researchers, Governmental and military entities, and Energy and Telecommunications sectors predominantly within the Middle East (especially Saudi Arabia) and the U.S.
Sample TTPs	Spearphishing as common initial intrusion vector Leveraging fake personas and social media platforms to interact with their targets (Phishing via SMS, WhatsApp, or social media sites) Frequent impersonation of journalists Watering hole attacks using compromised legitimate websites that are relevant to their targeted victims Impersonations of popular online sites (Google, Microsoft, Yahoo) to harvest user credentials
AKA	APT35, Ajax, Phosphorus, Newscaster, Rocket Kitten

Infy

Overview

Discovered in 2016 with activity stretching back to 2007, Infy is an Iranian state-sponsored APT whose targets include government entities and private companies in Europe, as well as civil society, activists and dissidents, and press in Iran. The targets of Infy’s campaigns strongly align with Iran’s “soft war” agenda and internal security policies, with the group’s campaigns, intrusion attempts, and target compromises overlapping with those of other Iranian APTs.

Following a takedown operation conducted by Palo Alto Networks’ Unit 42 (who also initially discovered Infy), Infy operations wound down until 2017 when an evolution of Infy malware called Foudre (French for “lightning”) was detected. Following a period of downtime, it seems the actors behind Infy were able to regroup, fix previous issues, drastically reinforce their technical proficiency and tooling capabilities, and implement stealth techniques and underlying infrastructure to help them avoid detection.

Recent Activity

Infy has become known for attempted attacks against Iranian civil society starting in late 2014, which increased up to the February 2016 Iranian parliamentary election. After the election concluded, the rate of attempted exploits decreased but did not end. When operations aimed at Iranian civil society subsided, the group appeared to shift its focus to external targets. This includes spearphishing attempts aimed at the Ministry of Foreign Affairs (MFA) of Denmark in 2016, which unmasked a possible six-year attack campaign linked to the group known as Operation Mermaid.

In 2017, Infy activity was observed through the use of a new malware dubbed Foudre, which has numerous versions that have been detected over the past three years. In early 2020, new versions of Foudre emerged in a new attack campaign that includes some key differences from the older versions. Foudre was joined by a second-stage payload called Tonnerre (French for “thunder”) used for persistence, surveillance, and data exfiltration. Though historically the majority of Infy’s victims have been located within Iran, slowly expanding to external entities that Iran has an espionage interest in, this latest campaign strays from Infy’s usual target groups, with victims of Foudre located in Sweden, the Netherlands, the U.S., along with others across Europe, Iraq, and India.

Known Targets	Iranian civil society, Activists, Dissidents, and Press; Government entities and private companies in multiple regions, including countries across North America, Europe, and the Middle East
Sample TTPs	Distribution of specifically crafted malicious documents containing Infy malware through spearphishing attacks Use of keylogger malware with a failover C2 communication system Use of RSA signature verifying algorithm to check the veracity of a C2 domain Watering hole attacks using compromised legitimate websites that are relevant to their targeted victims
AKA	Prince of Persia, Foudre, Operation Mermaid

OilRig

Overview

The OilRig group has been a prolific threat actor within the Middle East for several years. OilRig has primarily targeted Middle Eastern organizations, but has also on occasion targeted those outside the region, including the United States. The group is assessed to be operating on behalf of the Iranian government based on technical indicators and targeting patterns that closely align with Iranian interests.

The group’s tactics have continued to evolve over time. OilRig has used a combination of proprietary malware, customized versions of publicly available hack tools, and “off the shelf” software. Social engineering has featured prominently in many of their campaigns, with the group leveraging social media platforms and masquerading as Western universities on multiple occasions.

OilRig has been known to utilize LinkedIn and to impersonate legitimate institutions, like Cambridge University, to deliver malicious ‘job opportunity’ documents, such as in its DNSpionage campaign aimed at Middle Eastern government entities and private companies in 2018 and its HardPass operation (TONEDEAF) targeting government, energy and utilities, and oil and gas sectors in 2019. Since the leak of OilRig’s tools in 2019, the group has been actively updating their payload arsenal and retooling to avoid detection, creating multiple different malware variants with the same purpose as always: to gain an initial foothold on targeted devices.

While reusing old techniques and maintaining its modus operandi, OilRig continues to build new and updated malware in an effort to minimize detection. The group shows no signs of slowing down, using offensive cyber operations to further promote its political agenda in the Middle East, with an ongoing focus on Lebanon.

Recent Activity

Spring 2020 witnessed OilRig incorporate new tactics into their operations, with researchers noting the use of both the DNS-over-HTTPS protocol and email attachments containing steganography for covert communication channels. Telecommunications companies have been among the group's recent targets, which falls in line with the group’s historical focus on espionage enablement.

The group’s malware toolset has continued to evolve; a modified version of the TONEDEAF backdoor was used in early 2020 during a campaign imitating a U.S. professional services company known to contract with the U.S. government. 2020 also saw OilRig linked to another destructive wiper malware dubbed ZeroCleare, which was used in an attack against organizations within the energy and industrial sectors in the Middle East.

Most recently, OilRig employed a new backdoor variant — dubbed SideTwist — against what appears to be a Lebanese target in a campaign discovered by researchers at Checkpoint in April 2021. In this latest campaign, OilRig utilizes job opportunity documents containing malicious macros with DNS tunneling that executes the payload and establishes persistence as an initial intrusion vector, similar to its previous operations. The second stage payload, SideTwist, has not been seen before in OilRig operations, though its functionality, which includes download, upload, and shell command execution, is similar to other backdoors the group has employed in past campaigns (e.g. DNSpionage and TONEDEAF).

Known Targets	Government agencies, Financial institutions, and Public utilities, as well as Energy, Telecommunications, and Oil and Gas sectors primarily in the Middle East (especially Lebanon and the UAE)
Sample TTPs	Use of malicious job opportunity documents as lures to deliver malware (often using social media as an initial delivery mechanism) Spearphishing and social engineering DNS exfiltration, using both custom-built and open-source software tools Extensive use of DNS tunneling for command and control (C2) Email-based C2 using Exchange Web Services and steganography to insert data and commands into image files attached to emails Credential harvesting and use of compromised accounts
Also Known As	APT34, GreenBug, Helix Kitten, IRN2, ITG13

APT33

Overview

APT33 has been operating since at least 2013, targeting Iranian adversaries in the commercial and governmental sectors in Saudi Arabia and the United States, among others, in several attack campaigns. The group has been observed using both advanced custom malware and publicly available hacking tools to target sectors such as aviation and petrochemical production. Often conducting multi-staged attacks using weaponized documents, domains resembling legitimate business services, and PowerShell backdoors, APT33 has strong links to Iranian government entities based on the group’s selection of targets and technical indicators that link its online persona to an Iranian cyber institute.

In 2018, researchers at McAfee asserted that APT33 (or a group masquerading as them) was likely responsible for the 2012, 2016, and 2018 Shamoon attacks, as the TTPs used during the multiple waves of attacks closely match domains and tools commonly used by APT33. Notably, APT33 has been linked to destructive wiper malware more than once. The extremely destructive Shamoon malware that is designed to wipe victim systems by overwriting information with garbage data overlaps with the Stonedrill/SHAPESHIFT wiper, which was also used in 2016 to target organizations in Saudi Arabia [PDF].

Recent Activity

In late 2019, researchers at TrendMicro detailed activity attributed to APT33 in which the group established very narrowly targeted botnets to exploit their intended victims. This campaign appeared to follow previous APT33 patterns, as victims included U.S. private companies and universities, U.K. and European oil companies, and several victims in the Middle East and Asia. The campaign included phishing emails designed to impersonate known aviation, oil, and gas companies, which likely served as an initial infection vector. The APT33 actors also went to great lengths to obfuscate their infrastructure, using a series of bot controllers, VPNs, and cloud-hosted proxies to hide their activities.

Though not many large-scale attacks have been attributed to APT33 in 2020-2021, the cybersecurity company HYAS has observed typical APT33 domain registrations continuing in 2020 and has identified a number of domains that were registered using TTPs that had been previously associated with APT33, indicating that the group may still be active in its operations.

Known Targets	Aviation, Manufacturing and Engineering, Energy, and Petrochemical sectors in the United States, Saudi Arabia, and South Korea
Sample TTPs	Spearphishing as a frequent initial intrusion vector Brute-force and password-spraying attacks Use of destructive drive-wiping malware Leveraging botnets, private VPNs, and cloud-hosted proxies to enhance obfuscation and operational security Multi-staged attacks using weaponized documents, known productivity software vulnerabilities, and PowerShell backdoors, often launched from domains resembling legitimate business services
Also Known As	Elfin, Magnallium, Holmium, and Refined Kitten

Chafer

Overview

Active since at least 2015 and particularly busy in 2017, Chafer is an Iran-linked threat group that has predominantly focused on the theft of data and personal information from targets across multiple sectors and nations in the Middle East, as well as in the U.S. Chafer’s focus on the travel and telecommunications industries suggests that the group’s intent may be to perform tracking and surveillance of end-users, to collect propriety or customer data for Iranian national interests, or to establish initial accesses and vectors for follow-on operations. The group’s targeting of government entities also suggests a possible secondary intent to collect geopolitical information that may benefit Iranian decision-making.

In early attacks, Chafer operators were observed obtaining initial access via SQL injection attacks against internet-facing web servers. However, more recent campaigns document the use of spearphishing emails with malicious attachments, such as Excel files. Historically, the group’s C2 domains have masqueraded as legitimate Windows update service domains.

Multiple researchers have noted potential overlaps with OilRig, both in terms of shared C2 IPs and code overlaps. As is the case with many of the groups detailed here, such overlap amongst campaigns is likely inevitable, as the individuals behind them may share information, infrastructure, or intelligence requirements over time.

Recent Activity

In the spring of 2020, researchers at Bitdefender identified campaigns perpetrated by Chafer that targeted air transportation and government entities in Saudi Arabia and Kuwait during 2018 and 2019. These campaigns appear to fall very much in line with previously reported Chafer activity — both in terms of the countries and sectors targeted and the continued interest in gathering intelligence and surveillance data on historic Iranian adversaries.

In September 2020, the U.S. Department of the Treasury announced sanctions against Chafer, 45 associated Iranian nationals, and a front company named Rana Intelligence Computing Company based on links to the Iranian Ministry of Intelligence and Security (MOIS). The Treasury Department specifically tied these sanctions to malicious campaigns conducted by Chafer targeting “Iranian dissidents, journalists, and international companies in the travel sector.” The U.S. FBI also released a technical alert around the same time detailing a variety of malware known to be used by the group.

Known Targets	Telecommunications, Aviation, IT, and Travel sectors, as well as Government entities, across several regions with a concentration on the Middle East
Sample TTPs	Spearphishing using malicious hyperlinks or attachments Leveraging of domains resembling legitimate web services and businesses relevant to intended target SQL injection attacks via front-end web servers Use of custom backdoors (Remexi) combined with publicly available software tools Exploitation of targets’ vulnerable web servers to install webshells (such as ASPXSPY and ANTAK) and use of stolen legitimate credentials to compromise externally facing OWA (Outlook Web Access) resources
Also Known As	APT39, Remix Kitten

Pioneer Kitten

Overview

Active since at least 2017, Pioneer Kitten is an Iranian-linked APT focused primarily on gaining and maintaining access to entities with sensitive data of intelligence interest to Iran. The group’s modus operandi is characterized by reliance on exploits of virtual private networks (VPN) and remote external services on internet-facing web servers as well as a near-complete dependence on open-source tooling for operations. Pioneer Kitten employs an opportunistic model and has been known to target North American and Israeli entities in the sectors of technology, government and defense, health care, aviation, finance, and telecommunications. In July 2020, Pioneer Kitten was found advertising access to compromised networks on an underground forum — possibly in an attempt at revenue stream diversification to support its targeted intrusions.

Recent Activity

Between late 2019 and summer 2020, multiple sources described intrusion activity attributed to Iranian state-sponsored cyber operators who were leveraging recently publicized vulnerabilities in popular VPN services such as Pulse Secure, Fortinet, and Palo Alto's GlobalProtect. Researchers at ClearSky released a report [PDF] on these operations in early 2020, stating that this campaign, dubbed Fox Kitten, has likely been active since 2017 and noting it to be “among Iran’s most continuous and comprehensive campaigns revealed until now.” The campaign’s victims span over a wide range of countries and industries, including the IT, telecommunications, oil and gas, aviation, government, and security sectors. The Fox Kitten Campaign’s infrastructure overlaps with the activity of several Iranian threat groups (APT33/Elfin, APT34/OilRig, and APT39/Chafer), and the campaign appears focused on establishing initial footholds within the victim networks, frequently relying on SSH tunneling to maintain persistence within those networks.

In September 2020, CISA and the FBI corroborated these findings, releasing a technical alert attributing the successful exploitation of VPN infrastructure to the group and mapping the group’s tactics, techniques, and procedures (TTP) to the MITRE ATT&CK Framework. While not explicitly naming the ties to Pioneer Kitten, CISA had released an earlier alert in July 2020 warning of the ongoing exploitation of vulnerabilities within F5 BIG-IP infrastructure, another TTP that has been used by the group.

Known Targets	IT, Telecommunications, Healthcare, Financial, Media, Oil and Gas, Aviation, Government, and Security sectors in the Middle East and United States
Sample TTPs	Exploitation of VPNs and other network appliances Use of SSH tunneling to facilitate RDP (Remote Desktop Protocol) access to victims Use of custom, open-source, and legitimate native software tools Sale of access to compromised systems and networks on underground forums
Also Known As	Fox Kitten, PARISITE [sic], UNC757

Final thoughts about Iranian cyber attack landscape

The past decade has seen the Iranian government demonstrate a strong willingness to use the cyber realm as a weapon for retaliation, rapidly adopting cyberspace operations as a primary tool of national power for means of intelligence collection and espionage. The number of Iranian cyber attack campaigns documented by the cybersecurity community in just the past two years illustrates the significant volume of operations being carried out at the direction of the regime’s political and military leadership, which is particularly notable given the possibility that there are additional, ongoing intrusions that have not yet been detected or documented in the public sphere.

As is almost always the case when discussing state-sponsored threats, the enterprises being victimized by Iranian hackers often lack the tools and information to systematically and effectively counter these adversaries. The growth in volume and sophistication exhibited by Iranian cyber operators suggests that the threat from these groups is continuing to accelerate. In addition to Iran’s latest partnerships with Russia and China, which will very possibly lead to improved offensive and defensive cyber capabilities for Iran, countering such threats calls for new and innovative forms of defense.

There is a greater need for the U.S. and its allies to share vulnerabilities and threats with each other and vendors to collectively defend against increasingly sophisticated cyber attacks. IronNet’s revolutionary Collective Defense approach enables nations and enterprises to defend against emerging threats in real-time as a unified front, more effectively addressing advanced cybersecurity threats on a more holistic, global level. Cyber attacks are oftentimes not isolated incidents, and nation-state threat actors frequently target communities with the same pattern of behavior, escalating an attack through the phases of the Cyber Kill Chain. As the nations who most often target U.S. entities in cyberattacks collaborate to improve their capabilities, IronNet’s Collective Defense approach and state-of-the-art IronDome — designed to send automated alerts of malicious events to the community at a speed faster than human communications — are becoming increasingly necessary to detect large-scale attacks (e.g. SolarWinds) and to prevent hacking tools from being repurposed against multiple targets.