Today when we hear of an Advance Persistence Threat or a Sophisticated Threat Campaign, we immediately imagine it coming from Russia or China. But in the world of cyber adversaries one country has been consistently growing its dominance & presence, with special interest towards US government, public sector & corporate entities as well as its allies all over the Globe. With prominent Threat groups such as BLACKSTURGEON (AKA – APT33, Shamoon/Shamoon 2, Rocket Kitten, Elfin), PIPEFISH (APT34, OilRig, Helix Kitten, Chafer), SKATE (APT35,, CopyKittens, Charming Kitten), among other (allegedly) originating from Iran, they are not far from being a commanding force in the cyber space.
Few days back tensions around Iran’s Cyberactivity saw a spike due to the shooting down of an American Drone in June 2019. Many Prominent News outlets like ‘The Telegraph’ & ‘Aljazeera’ hinted at American retaliation on Iran for the incident via Cyber Attacks on Iranian Military Installations, including but not limited to Technology Infrastructure’s responsible for control missile & rocket launchers. Give the history, retaliation from Iran was expected &among what has been already seen by the Intelligence Community, we expect to see more in the coming future.
“Here the focus will be on some of the prominent Iranian threat groups, potential targets and tactics, techniques and procedures (TTPs) used by these groups, along with recommendations for defending against such attacks that your Organisation may face,” writes Dr Aditya Mukherjee.
Here the focus will be on some of the prominent Iranian threat groups, potential targets and tactics, techniques and procedures (TTPs) used by these groups, along with recommendations for defending against such attacks that your Organisation may face.
Primary Targets :
Iranian threat groups have been known to target Oil & Gas, Defence, Utilities, Aviation, Government, Telecommunications, Financial Services & Media Industries located in or conducting operations in the Middle Easter geography. As a CISO / CIO one should focus on assessing their security postures and the risks associated with such threat campaigns and establish response framework in an event of a disruptive cyber-attack.
Iranian threat actors over the time have targeted majorly organizations with business in EMEA (Europe, the Middle East and Africa) region, especially in Saudi Arabia, UAE and GCC members, along with primary targets such as US &Israel. There have also been instances where non-Middle-Eastern based assets of organizations doing business in these countries have suffered disruptions: E.g. – Shamoon 2, affecting Italian oil services firm Saipem, disabled its servers in India, Scotland and Italy, as well as the Middle East. Sabotage of critical infrastructure in the US and other countries can be a potential as well. In the past it has been observed that these Threat Groups have the ability to target businesses based out of countries like:
- The Middle East, including Israel, Syria, Lebanon, Saudi Arabia, Yemen, Kuwait, and Jordan
• US and other oil and gas producers in the Western Hemisphere
• Western and Central Europe, particularly Germany and Austria
• India &South Korea
One can find various indictments that have been released linking Iranian hackers with Cyber Espionage, Data Breaches, DDOS, Ransomware Attacks & False Flag Operations. E.g. – SamSam ransomware attacks (Alert (AA18-337A)which crippled government operations& health-care providers, DDoS campaign against US financial institutions, Unauthorized Access of NASA Systems& the Shamoon malware campaign that destroyed data on computer networks of Saudi Aramco, world’s largest oil company.
Modus Operandi :
Some of the notable Tactics, Techniques & Procedures of the Iranian cyber adversaries are listed below:
- Use of ransomware variants to either directly extort victims or inject cryptocurrency mining tools
- Use of large-scale destructive malware based on time-activation, choosing to activate over holidays and weekends, and at night; decrease in deceptive efforts to hide attribution for destructive attacks
- Reuse and repurposing of malicious code from different threat groups
- Prior heavy reliance on heavily customized and tailored phishing messages sent to targets to maximize engagement and induce targets to click on links or open documents
- The acquisition of Secure Socket Layer (SSL) certificates that can enable man-in-the-middle (MitM) attacks
Additionally, look out for the following attack vectors:
- Password spraying, Spear phishing with macro-enabled documents, Watering holes& Custom DNS tunnelling for C2C communication
- Use of custom Ransomwares, Backdoors, Malwares, Web shells, Off the Shelf remote administration tools (RATs & Trojans)
- Use of open source exploitation tools (Mimikatz, PsExec, Cobalt Strike), Malicious PowerShell execution, Keyloggers & Data Wipers
- Exploitation of the Major vendor vulnerability, like Microsoft, Adobe, Oracle, etc. Specially Zero-days and vulnerabilities with Remote exploitation and High impact on Confidentiality, Integrity & Availability.
Mitigation Strategies :
- Perform routine network monitoring activities to identify suspicious internal use of remote protocols (such as RDP) that may indicate adversarial lateral movement.
- Leverage YARA signatures included for associated malware families used by Iranian threat actors to hunt for suspicious activity across endpoints.
- Ensure all applicable network assets are patched for Zero-Day & Critical vulnerabilities.
- Check e-mails for suspicious addresses or content before clicking attachments, particularly purported job offers or resumes.
- Disable Microsoft macros by default and exercise caution when deciding to enable macros, only doing so when truly necessary and only if the origin of the document is known and trusted.
- Employ a very strict use-right policy for file read and write access for non-administrator users.
- Block or limit the use of or access to the Tor browser and network.
- To limit malicious use of PowerShell, restrict PowerShell execution policy to administrators and restrict the use of the Windows Remote Management (WinRM) Service to prevent remote use of PowerShell.
Recommendations against Particular TTPs :
The US Department of Homeland Security has provided alerts with recommended measures relevant to Iranian threats:
- Password Spraying – Alert (TA18-086A)
- Avoiding Social Engineering &Phishing Attacks – Security Tip (ST04-014)
- Recovering from Destructive Attacks. – Security Tip (ST05-006)
Ransomware Best Practices :
In general, to counter ransomware issues, it’s recommended to maintain regular backups of system data, preferably via a cloud-based solution. Additional recommendations include:
- Ensure that anti-virus products and endpoint solutions are up to date.
- Maintain regular and robust backups of storage devices, servers and end-user’s computer data.
- In case of infection or detection of malware, immediately disconnect affected systems from the network on which they reside.
- Re-image infected systems whenever possible and restore users’ data from backups.
- Never contact an attacker or pay the ransom.
- Monitor and revoke invalid, abused or otherwise compromised certificates from trust-stores and cert-authorities at the organizational site.
- Possibly consider using obfuscation and deception countermeasures against ransomware that target specific file extensions by internally utilizing unique extensions types and associating them with the appropriate application.
- Follow industry recommended cybersecurity mitigations and best practices.
Authored by : Dr Aditya Mukherjee