The escalation of tensions with Iran over the past few days is creating an increased threat of cyber-attacks. Iran has developed a very sophisticated and active cyber-warfare capability.
Iranian cyber operations are structured using a tiered model, where ideologically and politically trusted brokers gather intelligence priorities from the Iranian Government and parse the jobs into segmented attacks which are then bid out to multiple contractors for execution. According to Insikt Group, and their source’s conversations with other hackers in Iran, there are over 50 estimated contractors vying for Iranian government-sponsored offensive cyber projects. Only the best individuals or teams succeed, are paid, and remain in business.
The Iranian Cyber Army has three APT (Advanced Persistent Threat Groups) 33, 34 and 39 that develop custom malware, target data exfiltration from strategic intelligence targets such as Military contractors, Energy companies, and university networks.
FireEye has conducted extensive research on these threat actors and below are their profiles of each of the 3 primary Iranian APT’s.
Suspected attribution: Iran
Target sectors: Aerospace, energy
Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
Associated malware: SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, ALFA Shell
Attack vectors: APT33 sent spear-phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.
Suspected attribution: Iran
Target sectors: This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East.
Overview: We??? believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. We??? assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
Associated malware: POWBAT, POWRUNER, BONDUPDATER
Attack vectors: In its latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.
Suspected attribution: Iran
Target sectors: While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
Overview: The group's focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making.
Associated malware: The group primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor.
Attack vectors: For initial compromise FireEye Intelligence has observed APT39 leverage spearphishing with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection. In some cases previously compromised email accounts have also been leveraged, likely to abuse inherent trusts and increase the chances of a successful attack. APT39 frequently registers and leverages domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources. We??? have not observed APT39 exploit vulnerabilities.
While these are not the only attack vectors and methods, these are their common TTP’s (Tactics, Techniques and Procedures.) The Mitre ATT&CK site has detailed information on their TTP’s and specifics of their attacks. (https://attack.mitre.org/groups/).
What should you be doing?
While you may not be a direct target of an Iranian attack, your organization may still be vulnerable and used in an attack on other organizations if you have existing security vulnerabilities. Below are some activities that should be a focus during this time of heightened risk.
Communications and Education
Because many of the attacks start with a phishing attack, it is important to communicate to your users that there is a higher than normal level of awareness required. Continue to educate your users on the importance of being cyber aware and that they should communicate any suspicious behavior ASAP.
Stay diligent on patching any “exploitable” system vulnerabilities regardless of their perceived risk level. The Iranian attackers are very skilled and can exploit vulnerabilities that average threat actors may not be capable of accomplishing.
Increase your normal levels of monitoring during this period to look for anomalies. These monitoring activities should include:
· Abnormal traffic patterns
· Abnormal logins or login failures
· Increased Malware activity
· Increased activity on specific servers or devices (i.e. Port Scan against a specific port)
· Abnormal access to or from foreign sites
Review your Business Continuity Plans and ensure that you and your employees are ready to respond in the event of an incident. The attacks could vary from defacement to service and supply chain disruption or something as serious as a Financial Network, Energy Grid or Communications Network disruption. It is important to think through these scenarios and understand how you will respond as an organization. It is a good idea to communicate personal preparation suggestions for your employees. This will ensure that in the event of an incident, employees are prepared at home so they are still able to respond and be an active part of the organization’s efforts.
Awareness and Vigilance
It is important to continually monitor Cyber Security and general news sources for any activities that may affect your organization. Do you want to recommend any with links?
Review Incident Response Procedures
If something should happen, and it affects your network, systems and resources, it is imperative that you be able to respond swiftly and properly. The initial steps are to identify and contain the attack. This will minimize the potential impact to your systems and others. Then you can begin to investigate and eradicate any potential damage. Make sure that you have clearly defined roles and responsibilities on your IR team and that you have offline call information for team members and law enforcement.
While there is absolutely no need to panic, and there are no credible threats at the present time, the Iranian Government has stated that they will respond harshly and they have a substantial capability that should not be taken lightly. Be prepared, and if you see something, say something.