Iran seems to have been sitting by the sidelines during much of the Israeli-Hamas war, but... have they really?

Iran seems to have been sitting by the sidelines during much of the Israeli-Hamas war, but... have they really? Sources show over 40 cyber groups -government sponsored members of the IRGC, hacktivists, and volunteers, poised to create cyber war if and when Iran is ready. Here's why we believe this:

-        “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands, as will the threat of kinetic attacks,” FBI Director Christopher Wray testified to the Senate Homeland Security and Governmental Affairs Committee.

-        Iran's Foreign Minister Hossein Amirabdollahian warned of "harsh consequences" if attacks continue on the Gaza Strip.  "If an immediate ceasefire doesn't take place in Gaza Strip and the rapid attacks by U.S. and Zionist Regime continue then the consequences would be harsh,". While there is no specific mention of cyber, the mention is clear –the warning of harsh consequences, of which cyber is likely one.

-        The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that Iran remains a major cyber threat: “Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data.”

-        The sentiment in Iran towards cyber-attacks against the U.S. can vary, as it depends on individual perspectives within the country. At an official level, the Iranian government may not explicitly endorse or admit involvement in cyber-attacks against the U.S. However, it's worth noting that Iran has been accused of sponsoring or conducting cyber operations against the U.S. in the past, often as part of geopolitical tensions.

In light of the ongoing conflict involving Israel, Hamas, Hezbollah, and Yemen's Houthis, coupled with Iranian proxy attacks on U.S. forces in the Middle East (numbering over 50 currently), along with the inflammatory rhetoric from Iran, the Trusted Internet Threat Intelligence Team conducted a comprehensive analysis of Iranian Advanced Persistent Threat Groups and other possible Iranian cyber threats supporting Hamas.

Iran has been linked to various state-sponsored hacking groups that engage in cyber espionage, cyber warfare, and cybercrime activities. These groups are believed to operate with the support or direction of the Iranian government.

Some notable Iranian state-sponsored hacking groups include:

1.     APT33 (Elfin / Refined Kitten): APT33 is associated with Iran and is known for targeting aerospace, energy, and financial sectors. The group has been involved in cyber espionage activities, particularly against organizations in the United States, the Middle East, and Asia.

2.     APT34 (OilRig / HelixKitten): APT34 is believed to be linked to the Iranian government and has targeted a wide range of sectors, including energy, telecommunications, and financial services. The group is known for using social engineering techniques and phishing campaigns to compromise its targets.

3.     APT35 (Charming Kitten): APT35 is another Iranian state-sponsored hacking group that has been active in cyber espionage. It has targeted political dissidents, journalists, and organizations in the Middle East and the United States. APT35 is known for using spear-phishing techniques.

4.     APT39 (Chafer): APT39 focuses on targeting the telecommunications and travel industries. The group is known for conducting cyber espionage to gather intelligence on individuals and organizations in the Middle East. APT39 has been linked to the Iranian government.

5.     APT40 (OILRIG): APT40 is believed to have links to Iran and is associated with cyber espionage activities targeting maritime and energy sectors. The group has been known to use spear-phishing and social engineering tactics to access its targets.

It's important to note that attributing cyber activities to specific groups or nations can be challenging, and the information available is often based on analysis by cybersecurity researchers and government agencies. Additionally, threat actors may evolve, and new groups may emerge. Cybersecurity experts worldwide continuously monitor and analyze these groups' tactics, techniques, and procedures to enhance defense mechanisms and attribution capabilities.

Big thanks to @cyb3rops and the entire team of contributors for the Google Docs spreadsheet mentioned below. Their exceptional work goes beyond listing Iranian threat groups to include identified threat groups from various countries (check out the individual tabs at the bottom of the spreadsheet). This compilation is a valuable resource for any threat hunter.

As we head into the holiday season, we anticipate a seasonal spike in volume and various attack methodologies. Still, we might also expect an increase in war-related activities hiding in the noise of seasonal holiday activities.

Conclusion:

Despite the U.S. responding to attacks by Iranian proxy groups in the Middle East, Iran appears undeterred. This lack of deterrence extends to their Advanced Persistent Threat (APT) groups. As the conflict escalates, there is a likelihood that the focus will shift from Israel, to also target the U.S., indicating a widening scope of the conflict.

Trusted Internet Intelligence and 24/7 Security Operations Center (SOC) teams monitor these activities closely, actively tracking ongoing cyber threats and swiftly executing necessary remedies to halt any potential threats, staying one step ahead. Additionally, we have increased the number of seasoned Virtual Chief Information Security Officers and Threat Intelligence personnel and created a new Executive Cyber Security Support team for additional capacity for call-in assistance.

For more information, please contact Trusted Internet at staysafeonline@trustedinternet.io.

References:

hxxps://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json

hxxps://www.mei.edu/publications/iranian-apts-overview

hxxps://blog.scadafence.com/rise-of-iran-sponsored-threat-actors

hxxps://www.mandiant.com/resources/insights/apt-groups

hxxps://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html

hxxps://www.forbes.com/sites/emilsayegh/2023/03/28/inside-the-shadowy-world-of-iranian-cyber-espionage-group-apt33/?sh=61d433c775df

hxxps://assets.sentinelone.com/sentinellabs/evol-agrius

hxxps://www.bitdefender.com/blog/hotforsecurity/microsoft-disrupts-bohrium-spear-phishing-ring-by-seizing-41-domains/

hxxps://www.darkreading.com/dr-global/iranian-company--host-ransomware-apt-groups

hxxps://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=376438690

hxxps://www.politico.com/news/2023/11/01/us-officials-iranian-cyberattacks-00124847

hxxps://www.reuters.com/world/middle-east/iran-warns-harsh-consequences-if-gaza-attacks-continue-2023-11-01/

hxxps://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran