2020’s first major geopolitical event happened before most of us had fully recovered from the New Year festivities, with the assassination of Iranian general Qasem Soleimani by the Trump administration. Since then, tensions have escalated significantly, with many fearing that the situation will boil over into all-out war.
However, while Trump may be boasting about the US’ superior military equipment, where Iran really threatens is in the cyber arena, with a number of state-sponsored advanced persistent threat (APT) groups flexing their digital muscles over the past few years.
“Iran is a credible offensive actor in cyberspace having moved in recent years to boost their military capability in this area – in the past, they relied on third party groups and supportive hackers to carry out attacks,” said Dr Duncan Hodges, senior lecturer in cyberspace operations at Cranfield University.
“Iran’s response will most likely include a cyber response. It would be foolish to think that Iran will simply ratchet up its offensive capabilities against the US and other nations,” added Sam Curry, chief security officer at cybersecurity firm Cybereason.
“In fact, Iran is an intelligent cyber opponent with an army of people testing our systems every minute of every day. It is the ultimate game of cat and mouse. But in this instance, the consequences could be lasting.”
Iran APT groups: The frontline of Iran-backed cyberattacks
Arguably the main area that Iran threatens in is advanced persistent threat (APT) groups, which are groups of hackers that gain unauthorised yet undetected access to computer networks and stay there for extended periods, either to collect data or carry out a sophisticated and often devastating objective.
Iran itself was the victim of one of the most notable APT threats, in the form of the Stuxnet computer worm, which is believed to have been developed by a coalition of US and Israeli developers, and which in 2010 caused significant damage to Iran’s nuclear infrastructure.
The country has since developed its own significant APT capabilities, and has already launched attacks on US infrastructure, including its power grid. But which are the most notable APT groups in Iran?
Also known as Elfin Team, Refined Kitten, Magnallium and Holmium, APT33 is believed to have formed in 2013.
The group has been attributed to a number of attacks on targets in the US, South Korea and Saudi Arabia, particularly organisations in the aerospace, defence and petrochemical industries. One notable recent campaign occurred last year, which saw numerous Saudi firms targeted.
The group uses a host of malware tools, favouring those which can wipe hard drives or install backdoors. It has also engaged in considerable spear phishing efforts, and has registered numerous domains impersonating high-profile companies, including Boeing and Northrop Grumman.
Also known as OilRig and HelixKitten, APT34 is one of the most notable APT groups thought to be backed by the Iranian government.
Having been active since 2014, it has launched a host of attacks against the critical national infrastructure of numerous countries, including the United Arab Emirates, Jordan and Bahrain. Its targets have included airports, security agencies, energy providers and government institutions.
The group using an arsenal of hacking tools to infiltrate networks, including numerous malware and phishing tools, as well as keylogging, credential dumping tools and automated collection methods to gain access.
However, APT34 suffered a significant blow in 2019 when a slew of data believed to detail the leadership of APT34 was exposed via Telegram. The leak included details of 10 individuals, three of which work for Iran’s Ministry of Intelligence, while the remaining work for Iranian cybersecurity company Rahacorp.
First identified in late 2018 but believed to have been active since 2014, APT39 is considered a cyber espionage group due to its focus on stealing personal information.
Primarily targeting the telecommunications sector and travel and IT firms that support both it and the high-tech sector, APT39’s campaigns have focused on companies in the US, Turkey, Spain, Egypt, Iraq, the UAE and Saudi Arabia.
The group is thought to use off-the-shelf hacking tools to perform tracking and surveillance operations against key individuals, in a manner that has led experts to believe it is likely to be conducting espionage activity for the Iranian government.
Also known as APT35, Phosphorus, Ajax Security and NewsBeef, Charming Kitten is one of the most high-profile APT groups from Iran, despite being considered to use relatively unsophisticated techniques.
Thought to have been active since 2014, the group uses a mixture of zero-day exploits, malware, spear phishing and social engineering techniques to steal data from individuals in government agencies and companies working in technology, military and diplomacy. Most targets are based in the US, Israel and the UK.
In particular, Charming Kitten has been accused of targeting individuals involved in the Iran Nuclear Deal; targeting an unnamed US presidential campaign and attempting to steal data from journalists, government officials and select Iranians living abroad.
The group is also linked to the HBO hack that saw scripts of then unaired Game of Thrones episodes leaked online.
First identified in 2014, Cleaver is an APT group responsible for Operation Cleaver, a coordinated campaign identified by Cylance that began in 2012 and which may still be ongoing.
Targeting organisations across 16 countries including the US, Israel, China, India, France, the UK and Saudi Arabia, Cleaver’s victims include military organisations, aerospace companies and energy industry giants.
Cleaver’s attacks, which appear to have focused on data theft, have included the creation of fake LinkedIn profiles to facilitate the spread of malware.
The organisation has been linked to the Islamic Revolutionary Guard Corps, although the Iranian government has officially denied involvement in the Operation Cleaver campaign.
Another Iran-based APT group focused on espionage activity, CopyKittens was first identified in 2015 and is thought to have been operating since 2013.
Using a selection of both off-the-shelf and custom malware tools to gain access to systems, encrypt and steal data, the group has primarily attacked strategic targets in countries including the US, Jordan, Turkey, Israel, Saudi Arabia and Germany. It has typically focused on government and academic institutions, as well as defence and IT companies.
CopyKittens is particularly known for its campaign Operation Wilted Tulip, an extensive cyber espionage campaign targeting governmental organisations.
Believed to have been active since 2017, Leafminer also engages in cyber-espionage activities, although it focuses specifically on organisations in the Middle East.
Targeting a slew of industries, including petrochemical, telecoms, financial, shipping and airlines, as well as government institutions, Leafminer has focused its activities in countries including Saudi Arabia, Lebanon, Israel and Kuwait.
The group is thought to use a mix of custom and widely available malware and exploits to gain persistent access to machines and steal data.
Having been active since 2017, MuddyWater is a cyberespionage group that initially focused on the Middle East, in particular Saudi Arabia, Lebanon and Oman, but has also expanded its efforts to target European and North American organisations.
Focusing on data theft, the group has targeted organisations not only across government, telecoms and oil, but also cryptocurrency.
The group is also known as TEMP.Zagros and Seedworm.