We’ve been reading a lot about cyberattacks and new threats emerging from Iran recently. Historically, the Islamic Republic of Iran has extensively promoted the execution of cyber campaigns. These help them to thwart adversaries, protect its national interests, and execute cyber espionage.
More recently, security analysts have identified UNC1860 as a persistent and opportunistic Iranian state-sponsored threat actor. It is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). State-backed hackers continue to evolve their tactics, and businesses must shore up their defenses as well.
Concern over the attack on the Trump campaign, which the FBI traced back to Iran, is growing among security analysts. We are squaring up to examine the current threats coming from Iran and see how the MITRE ATT&CK framework can help with protection, detection, and mitigation advice.
A Brief Look at Iran’s Cyber Timeline
While most see Iran at the end of the list of active attackers, more recently they’ve been growing into a more serious threat. They have been behind some of the more recent attacks and have moved on from simple website defacements to attacks on critical national infrastructure and significant US election interference, most recently.
There have been many attacks linked to Iran and its affiliates; these are just a few:
- 2009: Offensive cyberattacks during the Iranian presidential election.
- 2010: Iran itself faced a state-sponsored attack, the Stuxnet Worm, that hit SCADA-based systems underlying Computer Network Influence (CNI).
- 2012: The Shamoon worm malware targeting CNI linked to Iran by US Intelligence. It was used in an attack against Saudi Aramco.
- 2024: The hack of President Donald Trump’s campaign that it orchestrated, no one was surprised at the New York Times calling Iran a “top disinformation threat.” Still, it wasn’t the first high profile attack carried out by Iranian operatives.
A historical observation by the FBI shared that the threat actor was running hack-and-leak campaigns such as Pay2Key in late 2020. They also had a [.]onion site (through the Tor browser) hosted in the cloud and registered through compromised organizations. After successful compromises and acquisition of data, the actors would publish news of it on various platforms and then would leak the data on its [.]onion site.
Although in most cases this strategy is used to extort victims to pay ransom, the Pay2Key intent was to undermine the security of Israel-based cyber infrastructure.
The Rising Significance of the Iran Cyber Threat
More recently, CISA observed malicious attacks against operational technology devices by Iran’s state-sponsored Islamic Revolutionary Guard Corps (IRGC)-affiliated APT cyber actors. According to the advisory, the threat actors are targeting multiple sectors that include US-based schools, financial institutions, municipal governments, and healthcare facilities.
Pioneer Kitten, UNC757, Fox Kitten, RUBIDIUM, Lemon Sandstorm, and Parasite are some of the specific cyber threat groups that are involved. These threat actors usually go by the name ‘Br0k3r’. Beginning in 2024, they have been working under the name ‘xplfinder’ in their channels and networks. In addition, these groups worked with ransomware groups such as NoEscape, ALPHV (aka BlackCat), and Ransomhouse.
The CISA advisory on these groups says the Iranian cyber actors’ involvement in ransomware attacks goes further than providing access. These groups work in tandem with ransomware gangs to lock their victims’ networks and implement extortion strategies on the victims. The FBI says that these Iranian cyber actors are not disclosing their location to the ransomware affiliates that they work with and seem to be intentionally vague about their origin and nationality.
Cyber Capabilities of Iran
Analysts have found 11 offensive cyber groups linked to Iran using the MITRE ATT&CK framework. The groups include:
- OilRig – Financial services, government, energy, chemical, and telecommunications
- APT33 (Peach Sandstorm) – Their targets include Elfin – Energy and Aviation.
- APT39 – Chafer – Telecommunication and travel industries
- CopyKittens – Targeting people associated with government, critical infrastructure and academia
- Strider – Target scientific research, government, military, telecoms and financial services
- Group5 – Seeks individuals and groups in Syria
- Charming Kitten – Targets individuals in academia, human rights and media
- Cleaver – Targets critical infrastructure
- Leafminer – Governments and businesses in the Middle East
- Magic Hound – Energy, Government and Technology
- MuddyWater – Telecommunications, IT Services, Oil & Gas
Cyber Techniques Used by Iran’s Operatives
Trademarks of the Iranian cyber actors include exploits of remote external services on internet-facing assets to gain initial access to victim networks. In addition, security analysts note that previous cyberattacks by Iran operatives used these 5 techniques.
- Credential Dumping (T1003)
- Obfuscated Files or Information (T1140)
- PowerShell (T1086)
- Scripting (T1064)
- User Execution (T1204)
Iran has demonstrated that it has advanced notable cyber capabilities. It ought to be ranked as a first-tier cyberpower, according to some cybersecurity experts. Threat actors have been known to target IP addresses hosting devices susceptible to particular CVEs by using the Shodan search engine. They search for network equipment with a public face, like firewalls running PanOS, F5 Big IP, Pulse Secure/Ivanti VPNs, and Citrix Netscalers.
MITRE ATT&CK, Mitigation, and Other Recommendations
Agencies recommend testing, exercising, and validating against potential threat behaviors, such as those mapped to the MITRE ATT&CK for Enterprise framework, in addition to mitigating attacks and vulnerabilities. Including testing your inventory of current security controls is a smart idea. These help to assess how they perform against the specific ATT&CK techniques used by threat actors.
To get started:
- Select an ATT&CK technique described in the Joint Cybersecurity advisory
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
Experts recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified.
New Threats On The Horizon
With the current ongoing conflicts in the Middle East, new Iranian State cyberattacks featuring new tactics, techniques and procedures are eminent. Organizations should stay abreast of new threats and ensure their security is ready to defend their networks against them.
