With elevated tensions in the Middle East region, there is significant attention being paid to the potential for cyber attacks emanating from Iran. This threat brief by Palo Alto Networks contains a summary of historical campaigns that are associated with Iranian activity and does not expose any new threat or attack that has occurred since the events of January 3rd, 2020.
Since 2010, it is thought that Iran has been highly active in cyber operations campaigns throughout the world. A number of groups and campaigns have been named and published on by the private sector, but direct attribution to the nation-state of Iran is still largely lacking in many of these instances. Most attribution published by the private sector has relied on tactical evidence surrounding targeting and possible motivations.
It is important to keep this in mind, while at the same time understanding that without additional evidence, the current attribution set is accepted industry-wide as fact. Unit 42 has not gathered evidence to specifically attribute any of the accepted groups as originating from Iran, but also has not observed any evidence to counter any publicly made claims.
Overview of Iran-Linked Campaigns: Some of the currently active groups or campaigns publicly attributed by the industry as originating from Iran are:
- OilRig, AKA APT34/ Helix Kitten
- MagicHound, AKA APT35/ Newscaster/ Cobalt Gypsy
- APT33, AKA Refined Kitten/Elfin
- DarkHydrus
- Shamoon
- MuddyWater, AKA Static Kitten
There appear to be two distinct motivators for these groups, espionage and destruction. The majority of observed attack campaigns have been espionage related, with the associated groups appearing to seek continued access into a target organisation or access to sensitive data. A smaller number of highly focused destructive attacks have been observed over time, beginning with the original Shamoon attack in 2012, with additional iterations years after, and more recently with StoneDrill and ZeroCleare.
Overall, cyber attacks thought to be originating from Iran have been persistent and ongoing for the last decade. The target radius for these groups have spanned across the globe, across all major industries. Although perceived retaliatory actions may occur in the near future, even those actions are most likely in conjunction with ongoing attack campaigns and operations.
Behaviourally, several tactics and techniques have been observed across multiple groups and campaigns over time. The following is a list of commonly observed tactics and techniques:
- Phishing
- Credential harvesting
- DNS Tunneling
- DNS Hijacking
- EldoS RawDisk driver
- Malicious macros
- Weaponised Excel and Word documents
- Script based backdoors
- Webshell deployment
- Domain masquerading
- Scheduled tasks
- Use of Mimikatz
- Exploitation of enterprise VPN Software
General Mitigations
With this knowledge of common behaviours, some mitigations recommendations are:
- Increase education and awareness against phishing attacks in your organisation via exercises and informational resources
- Enable or implement multi-factor authentication on public facing systems, or more preferably, across the entire organisation
- Enable or implement credential theft detection features in network security devices
- Enable or implement anomalous DNS behaviour detection/prevention capability
- Blacklist EldoS RawDisk driver, unless absolutely required for business purposes
- Review security policies for macro documents and restrict execution where possible
- Review security policies for script file execution on endpoints and restrict where possible
- Review all public facing network applications and deploy up-to-date patches
- Enable or implement domain or URL categorisation features in network security devices
- Scan endpoints for new or unknown scheduled tasks
- Implement detection and prevention logic for behaviours associated with Mimikatz
- Patch remotely exposed software for known vulnerabilities as soon as possible
Conclusion
Assuming the highlighted groups are indeed Iranian in origin, their activity has been well documented and the various groups often times use very similar tactics and techniques to execute their attacks, such as the heavy use of spear-phishing and credential harvesting.
This activity has been persistent for the last decade, and it should be expected to continue or increase with recent geopolitical events. However, across all of these groups as well as others that were not highlighted, another consistent theme has been the abuse of poorly implemented IT and security policies.
Enabling Multi-Factor Authentication throughout an organisation, properly segmenting networks, limited macro-enabled documents, and disallowing network activity to unknown domains are examples of relatively simple policies that could have assisted in the neutralisation of these adversary groups’ malicious actions.