Iran Cyber Attack
The government of Iran is an enthusiastic user of cyberattacks against the country’s strategic rivals. The tempo and breadth of these attacks may well increase in the future.

The government of Iran continues to target rivals with cyberattacks, according to a recent presentation at the EW Europe conference and exhibition.

Dr. Justin Pelletier is the director of the Global Cyber Security Institute Range and Training Centre at Rochester Institute of Technology, New York. Iranian cyberattacks were the subject of his presentation given during the Association of Old Crows’ EW Europe conference and exhibition. The event was held in Liverpool, northwest England between 12th and 13th October.

Dr. Pelletier examined the indicators and impacts of Iranian cyberattacks. He kicked off by stating that the direct, unequivocal attribution of cyberattacks to the Iranian government can be a “sticky wicket”. Understandably, that government works hard to cover its tracks and conceal Iranian involvement in cyber warfare.

The aerospace, defence, energy and petrochemical industries are among targets favoured by Iranian cyber warriors, Dr. Pelletier said. These have probably concentrated on targets in the United States and Saudi Arabia. Both the US and Saudi Arabia are strategic rivals of the Iranian government. Dr. Pelletier added that cyberattacks may have emanated from Iran against targets in the Republic of Korea (ROK).

Armada believes that attacks against ROK targets may have been performed on behalf of, or in support of, the Democratic People’s Republic of Korea (DPRK). Iran and the DPRK share close relations. For example Iranian experts may have assisted the DPRK’s intercontinental ballistic missile programme, according to reports.

Threat Groups

Dr. Pelletier revealed that the Iranian government’s modus operandi for cyberattacks is to employ several so-called ‘threat groups’. This is fairly typical of any government’s cyber activities. Open source intelligence published by the MITRE Corporation details the activities of these groups. APT-33 is one suspected Iranian threat group believed to have been active since 2013. APT-33 has also been described with the appellations Holmium and Elfin. Dr. Pelletier stated that the group is responsible for targeting aerospace, defence, energy and petrochemical sectors in the US, Saudi Arabia and ROK. Cyberattack techniques employed by APT-33 include spear phishing, droppers, wipers and back door attacks.

Spear phishing targets a specific person or organisation to steal sensitive information via email. Dropper attacks deliver and install malware. Wipers are classes of malware wiping computer hard drives. Back door attacks exploit weakly defended parts of a computer, network or software application to gain access.

Other favoured techniques include botnet tool kits. Dr. Pelletier mentioned the Itsoknoproblem botnet. This may have exploited vulnerabilities in the WordPress and Joomla content management systems. Iranian cyber warriors may have also used techniques like Google Dorking. This uses Google applications to find vulnerabilities in the code used by websites hosted by the search engine.

APT-34, also known as Oil Rig, Cobalt Gypsy and Helix Kitten, has been involved in defacing websites of the above industries, and those involved in finance and telecommunications. It may have also been responsible for attacking the websites of governments deemed hostile to Iran. APT-34 is thought to have been active since 2014.

Also active since 2014, APT-35 is believed to collect strategic intelligence for the Iranian government. Targets include the media, defence, energy and telecommunications sectors in the US and Middle East. Dr. Pelletier stated that APT-35 may use its resources to attack internal online criticism of the Iranian regime. Likewise, APT-39 (a.k.a Remix Kitten, ITGO7 and Chafer) performs cyber espionage. It is thought to work on behalf of Iran’s Ministry of Intelligence and Security (MOIS). MOIS is believed to collect foreign intelligence, but may also work internally, according to open sources. Mitre’s information states that APT-39 performs some of its activities through a front company called Rana Intelligence Computing. Other Iranian cyber warfare front companies include MERSAD and ITSec. Like APT-34, APT-39 is thought to have been active since 2014.

That Iranian cyber activities gained momentum from the start of last decade is unsurprising. The years 2009 to 2010 witnessed large protests against the electoral victory of President Mahmoud Ahmadinejad. Internal allegations of electoral fraud greeted Mr. Ahmadinejad’s win. Doubts were expressed over the veracity of his victory by governments in North America and the European Union.

Other threat groups cited by Dr. Pelletier included Copy Kitten/Slayer Kitten. This was believed to have targeted aerospace, defence and petrochemical industries in Germany, Israel and Turkey. Academia and research organisations are believed to have been targeted by the Silent Librarian/Cobalt Dickens threat groups.

Other favoured targets for suspected Iranian cyberattacks have included groups opposing the regime of Syria’s President Bashir al-Assad. Open sources note that the Iranian government has provided important materiél and political support to Mr. Assad during the long-running Syrian civil war.

Evolution

Over the long term, Dr. Pelletier expects Iranian cyberattacks to continue against targets in the US, Europe, Saudi Arabia and allied countries. Targets are likely to remain the same, along with further attacks against Critical National Infrastructure (CNI).

Dr. Pelletier highlighted a 2013 cyberattack against the Bowman Avenue Dam, New York State, blamed on Iranian cyber warriors. He continued that attacks will likely be performed by Iranian proxies. These could include the Basij volunteer paramilitary organisation. Although probably part of Iran’s Revolutionary Guard Corps, using the Basij would help create an illusion of plausible deniability. Meanwhile, the Iranian government is expected to strengthen its own National Passive Defence Organisation (NPDO). The NPDO, formed in 2003, performs internal cyber protection and protection of Iranian CNI. Future tactics could include repurposed criminal malware along with more ‘homebrewed’ cyberattack tools, Dr. Pelletier notes.

by Dr. Thomas Withington