APTs & Threat Actors That May Increase Hostile Activity Due to Elimination of Iranian General Quassem Suleimani

<p>The Anomali Threat Research Team monitors the global cyberthreat landscape continually. Our experts focus on geographies of interest, provide around-the-clock intelligence on adversaries, and guidance on how to defend networks and people against cyberattacks.</p><p>Anomali has been monitoring the Middle East long before the current situation with Iran developed. For several years, we have been providing threat intelligence to customers and the greater security community impacted by threats from this region. For example, as early as 2018, our researchers provided detailed analysis, warnings, and guidance related to <a href="https://www.anomali.com/blog/new-shamoon-v3-malware-targets-oil-and-gas-sector-in-the-middle-east-and-europe" target="_blank">Shamoon wiper malware</a> and an attack wave launched by Iran-aligned threat actors. </p><h3><strong>Situation Analysis</strong></h3><p>On Jan. 3, the United States confirmed that it eliminated Major General Qassem Suleimani. He was the head of Iran's Islamic Revolutionary Guard Corps (IRGC) and its Quds Force. Since then, multiple news sources and government agencies have reported that Iran and groups aligned with it may target the US with retaliatory physical and cyberattacks. Anomali customers have increased demand for information about the event and requests for guidance on how to defend effectively against related cyberthreats.  </p><p>Anomali has been meeting these requests with intelligence that is helping them to address concerns. To further assist customers and the security community to detect and mitigate related threats, we updated our comprehensive Iran country profile. It provides a complete overview of all threats known to be backed by, affiliated with, or sympathetic towards Iran. It provides a comprehensive list of the known threat actors’ attack techniques, payloads, and IOCs. </p><p>The information was compiled by the Anomali Threat Research Team. It is based on our internal research, publicly available research from multiple sources, direct input from partners such as Intel 471, and intelligence from Anomali. </p><p>Anomali suspects with high confidence that threat actors  identified could increase activities aimed at public and private sector organizations. It is essential to add that threat actors not affiliated with the government or military forces of Iran, which are sympathetic to the country, could start to ramp attacks. </p><p>Any organizations concerned about how heightened tensions between the US and Iran could impact the security of their computer systems and data should take steps to mitigate these threats. Anomali customers receive automated integration of threats and IOCs directly into their platforms, which enables fast investigations and immediate detection for any that may have breached their networks. </p><h3><strong>Top Threat Actors and APTs Covered in the Report</strong></h3><p><strong>APT33</strong> - Based in Iran and believed to be state sponsored, it has been active since at least 2013. APT33 conducts cyber espionage campaigns and deploys destructive malware in organizations primarily in Saudi Arabia but has also targeted entities in South Korea and the US. Aliases: Cutting Sword of Justice, Refined Kitten, Elfin. Known malware used: Shamoon, Shamoon 2, Shamoon 3, DEADWOOD, ZeroClear.  </p><p><strong>APT34</strong> - Based in Iran and active since at least 2014, it is known for cyber espionage operations focused on reconnaissance that benefits Iran state interests. It uses public and custom tools to target entities located in the Middle East. Aliases: OilRig, Gulax, Helix Kitten. Known malware used: TwoFace, Helminth, POWRUNER/BONDUPDATER, ISMInjector, RGDoor, OopsIE.  </p><p><strong>APT35</strong> - Based in Tehran, it is believed to be associated with the government of Iran. It conducts cyberattack campaigns across many countries and is attempting to establish footholds in major government organizations, military, and critical infrastructures. Aliases: Ajax Security Team, Cobalt Gypsy, Cutting Kitten, Ghambar, MagicHound, Newscaster, Rocket Kitten. Known attack methods: watering hole, email phishing, fake social media profiles. Known malware used: TinyZBot and DownPaper. </p><p><strong>APT39</strong> - This Iranian cyberespionage group has been active since at least 2014. Aliases: Chafer. Known attack methods: use of various trojans and backdoors such as SEAWEED and CACHEMONY; malware such as CLEARPIPE, POWBAT/CLAYSLIDE, QANAT, RazorRAT, SEAWEED/Remexi. </p><p><strong>How Anomali Helps</strong><br/> <br/> The Anomali Threat Research Team provides actionable threat intelligence that helps customers, partners, and the security community to detect and mitigate the most serious threats to their organizations. The team frequently publishes threat research in the form of white papers, blogs, and bulletins that are made available to the security community, general public, and news organizations. Intelligence and bulletins about threat actors and related Indicators of Compromise (IOCs) are integrated directly into Anomali customers’ security infrastructures to enable faster and more automated detection, blocking, and response.</p><p style="text-align: center;"><a class="button button-xlarge button-rounded button-blue-grad" href="https://www.anomali.com/resources/whitepapers/iran-cybersecurity-profile" target="_blank">Access full report</a></p>