Editor's Note: This post, originally published on October 26, 2020, by Adam Hlavek, includes updates dated March 1 and April 12, 2021.
- On April 11, 2021, it was reported that Iran’s Natanz nuclear facilities experienced a blackout after a large explosion destroyed the independently protected internal electric grid that supplies its underground advanced centrifuges that enrich uranium.
- Lightning & Thunder are active again: what is interesting about the latest resurface of this APT is that the victims are not Iranian unlike previous Infy campaigns.
- Charming Kitten group is attacking medical researchers: the campaign was carried out in late 2020, but it was detected, analyzed, and published in late March 2021 and is attributed to Iranian state-sponsored APT Charming Kitten.
- In early March 2021, Trend Micro detected activity targeting numerous organizations in the Middle East and neighboring regions in a campaign dubbed Earth Vetala.
Since the Iranian revolution and the establishment of the current Islamic Republic in 1979, Iranian leadership has been in near constant conflict with the West and several of its Middle Eastern neighbors. The United States’ previous alliance with the overthrown Pahlavi dynasty and the ensuing hostage crisis set the stage for the tensions that would follow between the two nations in the coming decades. The U.S. and its allies' efforts to contain, counter, and undermine the regime’s influence have taken a variety of forms, including diplomacy, legal action, and economic sanctions. Iran’s determination to establish itself as a nuclear power has also exacerbated the West’s growing concern over the rogue nation’s military ambitions, which strategically include Iranian cyber attacks.
Thus, the 2010 discovery of a sophisticated and largely unprecedented cyber sabotage campaign targeting Iran’s nuclear facilities at Natanz would prove pivotal in the relationship between the U.S. and the Islamic Republic. While the U.S. government has never claimed responsibility for the Stuxnet virus that disabled hundreds of Iranian centrifuges, many have asserted that the operation was the work of U.S. and/or Israeli intelligence. This debate aside, Iranian officials wasted little time in publicly blaming the U.S. and Israel for the attacks. Following the Stuxnet attacks, Iran set itself on a course to aggressively develop its own cyberspace capabilities.
Most recently, on April 11, 2021, it was reported that Iran’s Natanz nuclear facilities experienced a blackout after a large explosion destroyed the independently protected internal electric grid that supplies its underground advanced centrifuges that enrich uranium. Evidence is still surfacing regarding the attack and its implications, but Iranian officials have publicly announced the blackout as an act of sabotage carried out by Israel, and many media sources have attributed the attack as a Mossad (Israeli intelligence agency) cyber operation. Though widely reported as a cyberattack, there is no concrete evidence that supports this speculation. IronNet researchers are actively tracking this event, and will provide updates as more information becomes available.
What is the historical backdrop of Iranian cyber attacks?
Lacking the military and economic might of its Western rivals, Iranian leadership views cyber as an asymmetric tool to do damage to their enemies and effectively gather intelligence on foreign governments, corporations, academic institutions, and NGOs abroad, in addition to their own citizens. Once viewed as cyberspace “amateurs,” the Iranian intelligence apparatus has steadily and conspicuously grown its domestic cyber know-how and Iranian hacking capabilities. While Iranian cyber operators may not be viewed as top tier in terms of their technical sophistication, the regime’s willingness to conduct aggressive and destructive cyber operations dramatically increases the potential threat posed to those enterprises which find themselves in the crosshairs. Highly disruptive operations presumably carried out at the behest of the Ayatollah have included drive-wiping attacks directed against Saudi oil companies and large-scale denial of service attacks directed against the U.S. financial sector, actions that have displayed open contempt for international norms and indicate the regime’s willingness to retaliate for a variety of perceived transgressions within the cyber domain.
As the last two years have given witness to dozens of malicious cyber campaigns attributed to numerous Iranian actors, it appears the regime’s plan has come full circle and that cyber has become a full-fledged, core component of Iran’s strategy to harass, contest, and punish its adversaries around the Middle East and the globe.
Iranian cyber attacks: strategic goals
1. Escape international sanctions and modernize the economy
Iran’s economy has struggled following the years of sanctions imposed by both the United Nations and the United States and its allies. The latest round of sanctions imposed due to the dissolution of the Joint Comprehensive Plan of Action (JCPOA) nuclear deal have been particularly hard hitting, sending the Iranian economy into a deep recession.
To that end, Iran is seeking economic alliances outside the Western sphere of influence. Most notably, Iran is apparently entering into a $400 billion investment agreement with China which would include infrastructure investment and cooperation on defense and intelligence initiatives.
Iran has also been willing to pursue intellectual property theft via cyber operations as a means of enhancing its competitive advantage, demonstrating a particular focus on defense and information technologies. A 2018 report from the U.S. National Counterintelligence and Security Center highlights this threat, stating, “Iran will continue working to penetrate U.S. networks for economic or industrial espionage purposes. Iran’s economy — still driven heavily by petroleum revenue — will depend on growth in non-oil industries and we expect Iran will continue to exploit cyberspace to gain advantages in these industries. Attempts at Iranian hacking are now an ongoing cyber threat.
Examples of Iranian cyber attacks:
- 2018 - Mabna Institute Indictment
2. Defeat regional adversaries in the Middle East
While Iran’s diplomatic relationships with its regional neighbors have differed over time and from state-to-state, Iranian leadership has consistently sought to undermine and contest those nations within the region that it sees as direct rivals. Seeking to establish itself as the preeminent power in the region, Tehran has repeatedly chafed against Israel and those Sunni-led states allied with the United States such as Saudi Arabia, Bahrain, and the United Arab Emirates. These conflicts have taken several forms, from economic and diplomatic disputes to outright military confrontation. The Islamic Republic has also actively supported insurgent militant groups such as Hezbollah in Lebanon and the Houthi rebels in Yemen as a means to asymmetrically fight battles against their adversaries via proxy forces, as the regime cannot afford the political and military costs of conventional warfare.
Cyberspace has also provided a new and appealing domain for the Iranian military and intelligence services to leverage, as the domain offers a low barrier-to-entry and often makes identifying those responsible difficult. Thus, many of the recent cyber intrusion campaigns linked to Iran have targeted governments, corporations, and NGOs within the Middle East. These campaigns serve multiple purposes: to collect information on organizations and individuals of interest to the Iranian intelligence services, to gain economic and political advantage, and, in the most extreme cases, to damage or destroy information systems or operational technology.
Examples of historical Iranian cyber attacks:
3. Preserve the Ayatollah’s regime and quell dissent
Post-revolutionary Iran has a well-documented history of highly centralized control of information and censorship. With dedicated government ministries overseeing the various forms media, the regime’s leadership requires strict adherence to the tenets of Shia Islam and forbids any significant criticisms of the Supreme Leader and his government. Reporters Without Borders has consistently ranked Iran as one of the most repressive countries in the world with regard to press freedoms.
Economic and political disenfranchisement have sparked multiple public protest movements in Iran over the past decade, from protests in 2009 stemming from Iranian President Mahmoud Ahmadinejad's election victory to 2019 protests initially spurred by dramatic increases in gasoline prices. Regime leadership has frequently responded to these demonstrations with brutal military force.
Iranian authorities have also proven to be more than willing to use technology to censor and surveil their citizenry. Some notable examples include the government essentially cutting off Internet access across the country in November 2019 in response to widespread protests and likely being responsible for the compromise of certificate authority DigiNotar in 2011, which resulted in thousands of Iranian Google users being redirected to look-a-like webpages. Such actions underscore the regime’s determination to maintain strict control over the flow of information within Iran’s borders.
Examples of historical Iranian cyber attacks:
4. Punish and discredit ideological adversaries
The regime has also shown an affinity for highly destructive “revenge” attacks against its enemies, particularly Saudi Arabia and the United States. The Shamoon malware deployed against Saudi and Qatari oil and gas companies represents a watershed moment, as these attacks resulted in the effective sabotage of thousands of computer systems within the victims’ corporate networks. Iranian operators are also believed to have been behind campaigns designed to disrupt a variety of U.S. government and private sector entities, to include banks, hotels, and most recently the U.S. presidential elections. Such cyber operations are likely designed to project power and serve as a warning to other nations or companies that are weighing their strategies for dealing with Iran.
While cyber-enabled espionage has become commonplace amongst world powers, Iran’s actions to harm commercial and industrial entities abroad illustrate a disregard for international norms and a willingness to cross “red lines” not seen by other prominent cyber powers today.
Examples of historical Iranian cyber attacks:
Acceleration of Iranian cyber attacks
The past decade has seen the Iranian government rapidly adopt cyberspace operations as a primary tool of national power, demonstrate a strong willingness to use cyber as a weapon for retaliation, and rely upon Iranian hacking as a means for intelligence collection and espionage. The number of Iranian cyber attack campaigns documented by the cybersecurity community in just the past two years illustrates the significant volume of operations being carried out at the direction of the regime’s political and military leadership, which is particularly notable given the possibility that there are additional, ongoing intrusions that have yet gone undetected or undocumented in the public sphere.
As is almost always the case when discussing state-sponsored threats, the enterprises being victimized by Iranian hackers often lack the tools and information to systematically and effectively counter these adversaries. The growth in volume and sophistication exhibited by Iranian cyber operators suggests that the threat from these groups is continuing to accelerate. Countering such a threat calls for new and innovative forms of defense.
Lightning & Thunder active again
In early 2020, new versions of Foudre (French for lightning) emerged. Instead of having the victim click a video link (as before), the malware runs a macro once the victim closes the document. The Foudre backdoor dll connects to HTTP C&C server and downloads self-extracting archive with full Tonnerre (French for thunder) malware Tonnerre uses HTTP for C2 for the updates and FTP for data exfil + commands.
Now, there are new malware differences of note:
- DGA: the formula has been updated and includes the TLDs of .space, .net, .dynu.net, and .top
- C2 RSA Verification: the malware verifies that the server is authentic by downloading a signature file that is signed by the server and ensuring that it is the right one. This could make the operation more resilient to take-downs.
- The Foudre string no longer present: the keylogging method was originally called “Foudre” and has now been renamed to “form1.” This is to help evade signature based detection.
- The malware uses https://www.france24.com/en/top-stories/rss/ to get the current date for the DGA.
What is interesting about the latest resurface of this APT is that the victims are not Iranian unlike previous Infy campaigns. In a time where other APTs are trying to mostly live off of the land, this APT re-crafted its toolset and comes in at a relatively large size of 56MB. Which is ironic because it tries to be treated as an application and vendors typically avoid large file sizes and may ultimately avoid detection.
Charming Kitten targeting medical researchers
Cybersecurity researchers uncovered a phishing campaign, dubbed BadBlood, aimed at 25 senior professionals specializing in genetic, neurology, and oncology research in the U.S. and Israel. The campaign was carried out in late 2020, but it was detected, analyzed, and published in late March 2021 and is attributed to Iranian state-sponsored APT Charming Kitten (aka Phosphorus, Ajax, TA453), whose other recent attacks include targeting world leaders attending the Munich Security Conference and the T20 Summit in Saudi Arabia in an effort to steal their email credentials, targeting Israeli scholars and U.S. government employees in another credential-stealing effort last July, and also attacking the re-election effort of former President Donald Trump.
- The bottom line is that BadBlood is not one of its kind,;however, for Charming Kitten, it implies a shift in target and collection priorities as they usually target dissidents, academics, diplomats, and journalists in order to further Iranian IRGC interests.
- The motives have not yet been definitively determined, but are guessed to be the result of a specific short-term intelligence collection requirement and/or a one-off attempt to gather intelligence that potentially can be used in further phishing campaigns. Additional investigation will reveal more about the goals of Charming Kitten regarding the medical sector.
Earth Vetala campaign
In early March 2021, Trend Micro detected activity targeting numerous organizations in the Middle East and neighboring regions in a campaign dubbed Earth Vetala. The cyber espionage campaign has been attributed to Iranian APT MuddyWater (aka Static Kitten) and is reported to be actively ongoing. It is targeting organizations specifically, such as government agencies, tourism, and academia entities, within countries such as the UAE, Saudi Arabia, and Israel.
- The attackers behind Earth Vetala leverage spearphishing emails and lure documents containing embedded links to a legitimate file-sharing service (Onehub) to distribute archives containing the ScreenConnect remote administrator tool and RemoteUtilities software in order to distribute malware.
- Once accessing a victim, the attackers would determine if the user account was an administrator or normal user and then download post-exploitation tools, including utilities to dump passwords, reverse-tunneling tools, and custom backdoors.
- They would then initiate comms with additional C2 infrastructure to execute obfuscated PowerShell scripts. In this latest campaign, MuddyWater is using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations.
- As MuddyWater is assessed to be primarily focused on cyber espionage, it is very likely that data-theft is the primary objective behind the Earth Vetala campaign.
IronNet’s mission is to drive such innovation and build the tools to defend companies, sectors, and nations against such global threats. Harnessing the state-of-the-art behavioral analytics powering IronDefense Network Detection and Response and collaboratively sharing threat intelligence in real-time across enterprises via IronDome Collective Defense provides IronNet’s customers with unique capabilities to better detect and defend against such threats, whether originating from hostile nations or criminal networks.
Read the full Iran threat report.