This summer, a significant joint advisory was unveiled by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3). This advisory sheds light on the alarming role of Iran-based threat actors in orchestrating ransomware attacks against organizations not only in the US but also around the globe, highlighting the urgent need for enhanced cybersecurity measures.
As the US presidential election draws closer, experts warn that cyber activity from Iranian state actors may intensify. A revealing incident occurred in August when Iranian hackers successfully infiltrated Donald Trump’s presidential campaign, where they not only leaked sensitive information but also distributed stolen documents to various individuals involved in Joe Biden’s campaign, according to reports from CNN.
The question that arises is: who are the major threat groups associated with Iran, and what insights do cybersecurity professionals need to possess as these groups persistently target both US institutions and its political landscape?
Threat Groups
Numerous advanced persistent threat (APT) groups are linked to the Islamic Revolutionary Guard Corps (IRGC), a prominent branch of the Iranian armed forces. Scott Small, director of cyber threat intelligence at Tidal Cyber, elaborates that many other cyber threat groups, while maintaining a semblance of independence, operate distinctly aligned with the strategic objectives of the Iranian government, posing an elevated risk.
These objectives could stem from motivations for espionage and information gathering or simply disruptive tactics. Historical patterns have showcased that hack-and-leak campaigns, as well as wiper campaigns, often emerge as outcomes of Iranian cyber activity. Moreover, as alerting from the joint advisory cautions, these Iranian groups may establish synergies with significant ransomware collectives to fulfill their disruptive aims.
“Look at the relationships of a group like Pioneer Kitten/Fox Kitten. They’re partnering and collaborating with some of the world’s leading ransomware groups,” Small emphasizes, underlining the potential for destruction. “These are extremely destructive malware that have been extremely successful in recent years at disrupting systems.”
The joint advisory underscores the activities of Pioneer Kitten, also referred to by various aliases such as Fox Kitten, Lemon Sandstorm, Parisite, RUBIDIUM, and UNC757. The FBI has been actively monitoring these Iranian cyber operatives as they coordinate with notorious groups like ALPHV (also known as BlackCat), Ransomhouse, and NoEscape. The advisory elucidates that these actors intentionally conceal their Iranian origins from ransomware affiliates, deliberately remaining vague about their nationality and origin, thus complicating attribution efforts.
Additional Iranian threat groups have recently captured the interest of cybersecurity analysts. In 2023, Microsoft’s cyber intelligence reported observing Peach Sandstorm (also known as APT33, Elfin, Holmium, and Refined Kitten) attempting to breach defense contractors through the deployment of sophisticated backdoors.
MuddyWater, a group operating under the auspices of Iran’s Ministry of Intelligence and Security (MOIS), has been implicated in attacks targeting various sectors, including government and private organizations in the critical fields of oil, defense, and telecommunications.
TTPs
The tactics, techniques, and procedures (TTPs) employed by Iranian threat actor groups exhibit remarkable diversity. Tidal Cyber monitors several major threat actors, housing an Iran Cyber Threat Resource Center dedicated to sharing threat intelligence. Small notes that the top ten groups monitored by Tidal Cyber are associated with approximately 200 of the techniques documented by MITRE ATT&CK.
The vast array of techniques and methods employed by these groups underscores their sophisticated operational capabilities.
The two primary avenues of compromise involve social engineering and the exploitation of unpatched vulnerabilities, according to insights from Mark Bowling, chief information, security, and risk officer at ExtraHop, a provider of cutting-edge cybersecurity solutions.
Social engineering tactics, implemented through methods such as phishing and smishing, can lead to the unauthorized acquisition of credentials, thereby granting threat actors access to systems to facilitate both espionage and ransomware breaches.
The Charming Kitten group (also known as CharmingCypress, Mint Sandstorm, and APT42), for instance, has been highlighted for utilizing a deceptive fake webinar to ensnare targeted individuals, particularly policy experts located in the US, Europe, and Middle East.
Unpatched vulnerabilities, whether found within an organization’s system or through its broader supply chain, can prove to be valuable tools for such threat actors, providing footholds for initiating attacks.
Security experts emphasize that once a vulnerability is identified, failure to patch it promptly — typically within a week — may result in the exploitation of that vulnerability by threat actors.
The joint advisory outlines various CVEs that Iranian cyber actors exploit to secure initial access, indicating that while patches may be devised, they are insufficient as a mitigative strategy if adversaries have already breached these vulnerable systems.
Potential Victims
Potential targets of the ongoing cyber campaigns by Iran-based threat actors are varied and encompass multiple sectors. The joint advisory has identified defense, education, finance, healthcare, and government as particular areas of focus for these cyber actors.
Small points out that the recent trend in nation-state-sponsored threat activities appears to indiscriminately target a broad spectrum of entities.
As the presidential election looms, it is plausible that threat actors may actively engage in influence campaigns designed to sway public opinion. This trend is not unprecedented; in 2020, two Iranian nationals were charged for creating a cyber-enabled voter intimidation and influence scheme while posing as members of a far-right militant group. As we near the 2024 election, the recent hacking incident involving the Trump campaign serves as a grave reminder of these ongoing risks.
Entities that could also become victims of Iranian threat groups, who may aim to disseminate misinformation or instigate chaos, include government facilities at both state and local levels. “It’s possible that they may target government facilities, state or local government, just to add more chaos to this already divided general election,” states JP Castellanos, director of threat intelligence for Binary Defense, emphasizing the potential for disruption.
Additionally, vulnerable operational technology (OT) devices remain prime targets for actors affiliated with the IRGC. As of late 2023, CISA, alongside multiple government agencies, issued an advisory addressing cyber activity directed at OT devices, particularly those utilized in essential services like water and wastewater systems.
In a notable incident within 2023, CyberAv3ngers, a group linked with the IRGC, infiltrated an Israeli-made Unitronics system at a municipal water authority in Pennsylvania. In the aftermath of this attack, alarming messages were displayed on screens at the facility, stating: “You Have Been Hacked. Down With Israel, Every Equipment ‘Made In Israel’ Is CyberAv3ngers Legal Target.”
While the booster station at the water authority switched to manual operations, the implications of such cyber intrusions signal a potential for far graver disruptions.
Small articulates the clear dangers here: “The implications there were pretty clear that something else further could have been done … tampering with the water levels and safety controls, things along those lines.”
In light of the ongoing conflict between Israel and Hamas, organizations within Israel and allied nations are likely to remain targets for cyberattacks attributed to Iranian factions, escalating the threat landscape.
The educational sector, too, has experienced a surge in cyber activity linked to Iranian-based actors. Microsoft Threat Intelligence has reported instances of Mint Sandstorm crafting phishing lures aimed specifically at high-profile individuals within universities and research organizations, indicating targeted efforts to gather sensitive information.
Escalating Threats
Iran stands as a prominent entity among various nation-state threats actively focusing on both public and private sector organizations in the United States. Other players in this space include Russia, North Korea, and China, each with their strategic interests. Moreover, beyond politically motivated adversaries, organizations must also contend with cybercriminal networks driven purely by profit motives.
The imperative for defenders to prioritize and allocate resources effectively grows ever more pressing. “As a cyber defender, how much bandwidth do you have? How many groups can you possibly keep track of? We’re always talking about prioritization,” Small emphasizes, highlighting the complexity of cybersecurity management.
Despite some assertions positioning Iran as a lower-tier threat, experts like Castellanos caution against underestimating its capabilities. “I would strongly recommend to … not treat Iran as something not to worry about,” he warns, advocating for vigilance against this sophisticated adversary.
Enterprise leaders are increasingly challenged to evaluate geopolitical tensions, the specific threats their organizations face in light of those tensions, and the resources available to counteract those risks.
Bowling emphasizes the critical need for investments in both personnel and technology.
“You can have good processes, and you can have good people. But if you don’t have the technology that allows you to see the attackers and allows you to respond faster to the attack, then you’re not going to be successful,” he states unequivocally.
As enterprises grapple with cyber threats emanating from Iran and other actors, the foundational practice of information sharing becomes increasingly crucial. “That sharing of information and intelligence, that’s actually what leads to a lot of these alerts being published and then it becomes usable by the rest of the community,” Small concludes, emphasizing collective defenses against ongoing cyber threats.
ENISA Threat Landscape 2024
Ty of maintaining effective cybersecurity in the face of evolving threats.
With the increasing frequency and sophistication of cyberattacks, particularly those linked to Iranian threat actors, organizations are under more pressure than ever to proactively defend their networks. The growing reliance on technology across all sectors adds another layer of vulnerability, making it imperative for businesses and governmental bodies to adopt a comprehensive cybersecurity strategy.
Key measures include regular software updates to mitigate risks associated with unpatched vulnerabilities, continuous training for employees to recognize social engineering tactics such as phishing, and developing incident response plans to address potential breaches. Engaging with cybersecurity experts and threat intelligence sharing can also enhance defenses against these sophisticated adversaries.
As geopolitical tensions escalate, particularly in the context of the impending U.S. presidential election and ongoing conflicts in the Middle East, the potential for cyber interference remains high. Organizations across critical sectors must remain vigilant and adaptable, preparing for the possibilities of not just espionage but also more disruptive attacks aimed at influencing political outcomes or instigating chaos.
as the landscape of cyber threats continues to evolve, staying informed and prepared will be crucial for organizations looking to safeguard their systems and data against Iranian cyber threats and other nation-state actors.