Iran’s Use of Advanced Persistent Threats

Why are we talking about Iran?

Over the last several months, Iran has been known to be supporting the conflicts between Israel and Hamas in Gaza and Israel and Hezbollah along the Lebanon border. And in truth, Iranian support for groups in opposition to Israel has been an enduring factor in the region for many years (e.g. proxies in Yemen, Syria and Iraq). News around the world in recent weeks has been dominated by the major uptick in the direct kinetic actions between Iran and Israel.

This series of kinetic actions, essentially in answer to one another, were backed by very strong rhetoric from both sides that led to very real fears of an escalation to a broader and more severe regional conflict that would rapidly draw in other major powers and allies.

For now, however, it appears that the risk of war with Iran has a ‘lid on it’ - it could not be said that it has been averted - everyone is watching the situation carefully, and it remains a tinderbox. International efforts continue to drive towards a sustained ceasefire in Gaza, de-escalation of that conflict and humanitarian aid.

Should we worry about an increased cyber threat from Iran?

It must also be remembered that in the modern era, conflict is asymmetric - made up of traditional military tactics and actions combined with cyber positioning and attacks. As we witness a de-escalation of the kinetic side of the conflict, we should expect to see continued and most likely increased cyber action.

How competent is Iran in cyberspace?

Iran is a highly competent and active cyber threat worldwide. Their combination of state-sponsored cyber operations, espionage activities, disruptive attacks, and geopolitical motivations make them a potent threat. They have spent years investing in their cyber capabilities by combining a resilient cyber infrastructure with highly trained and skilled personnel.

Iran’s investment in its cyber capability pre-dates the infamous Stuxnet incident of 2010 that directly attacked their nuclear programme, critically damaging the centrifuges at the Natanz uranium enrichment plant. But there is no doubt that the Stuxnet worm attack (speculatively attributed to the US and Israel) caused Iran to intensify its efforts to develop offensive cyber capabilities and resilience.

Iran has earned its place on the world stage as a cyber threat actor, spanning state-sponsored cyber operations, espionage and information gathering, disruptive and destructive attacks, and geopolitical motivations with social media influence operations.

For anyone working in cyber security, the Iranian threat actor names are all too familiar - APT33 (Elfin), APT34 (Oilrig), APT 35 (Charming Kitten), APT39, CyberAv3ngers, and Muddywater, to name but a few. Moreover, the attributed malware families also resonate - Shamoon, Stonedrill, Chaos, Mahdi - with Shamoon infamously associated with the destructive attack on Saudi Aramco in 2012.

Who are they going after?

Iran focuses predominantly on infrastructure in other nations - energy, communications, healthcare, utilities, transportation, education, finance, government, and defense. In the current conflict, they will continue to target Israel and its allies to disrupt their capabilities in the conflict and diminish the strength of support. They will see this in both short-term and long-term strategic acquisition of leverage. They will no doubt ramp up their efforts on social media with disinformation and efforts to inflame opposition to supporting Israel.

What should organizations do now?

Since COVID-19, all organizations have significantly accelerated the implementation of digitization across their customers, suppliers, operations, and employees on new and expanded digital platforms. The risk from cyber threats to organizations therefore has never been higher. Geopolitical tensions and events increase risk, and organizations need to prepare and create resilience to the threat of an attack coming their way - either intentionally or as an unintended spill-over (think Wannacry).

Iran’s motives beyond data breaches have focused on disruption and destruction, and in the current conflict, these should be viewed as significant threats.

This is an intelligence-led approach, focusing on relevant threat intelligence about these threat actors and where they are operating, gathering their malicious indicators, and ensuring defenses stay up to date with blocking, detection, and response. This is about bonding the latest threat intelligence with security operations and maintaining strong situational awareness across the enterprise.

What is Anomali doing for customers?

Anomali released an Iran Cyber Activity dashboard to help customers do this. Coupled with Anomali’s Copilot AI suite, the Anomali Security Operations platform establishes the critical bonding of the latest relevant threat intelligence with an enterprise's security ecosystem of tooling, allowing security operations to maintain a strong defense and resilience.