Military action in Iran has increased the potential of cyberattacks from Iranian-sponsored actors and hacktivists, and criminal groups aligned with Iran. We’ve put together this brief on the types of attacks Iran has executed or sponsored in the past to provide a starting roadmap based on their past cyberattacks during similar times of conflict.
While the line between hacktivist and state-sponsored threat actors can be blurry, Iran is a formidable adversary hosting several prominent threat actors. Iran’s geopolitical objectives range from disruptive and destructive attacks to cyber espionage and financially motivated cyberattacks in collaboration with ransomware actors. We maintain adversary playbooks on multiple Iranian threat actors. Among the more proficient state-sponsored threat groups are:
- Charming Kitten (APT35, Phosphorous): a sophisticated adversary known for extensive spear-phishing campaigns against US political entities, military, and commercial facilities. The group also carries out cyber espionage to assist Iran in its geopolitical goals.
- APT33 (Elfin): known for impactful attacks on other US and western critical infrastructure, typically in the energy and aviation sectors. APT33 uses spear-phishing in combination with malicious attachments and also leverage password spraying against to prey on accounts with weak authentication. They have been known to leverage zero-day vulnerabilities in several different IT products.
- MuddyWater (APT37, Seedworm): targets a broad range of sectors including government, defense, energy, telecommunications, and finance, primarily in the Middle East, Asia, Africa, Europe, and North America. They develop custom malware to assist in their operations, and typically leverage publicly known vulnerabilities and open-source tools to gain initial access and maintain persistence.
As noted above, the line between hacktivist groups and state-sponsored actors can be blurry, as many Iranian hacktivist groups are believed to have direct or indirect ties to the Islamic Revolutionary Guard Corps (IRGC) or other government entities. Iranian hacktivists are increasingly sophisticated and often overlap strategically with the goals of state-sponsored objectives. They leverage a variety of tactics, including the exploitation of vulnerable systems, targeted spear-phishing, data collection, and are known to compromise OT environments and carry out disruptive and destructive attacks against networks.
For example, Cyber Av3engers (Sandcat / IRGC-affiliated Actors) has emerged as a significant threat to industrial control systems and operational technology environments. It tends to focus on ICS/SCADA-facing devices exposed to the internet, often exploiting default credentials and known vulnerabilities in industrial equipment. In addition, Pioneer Kitten has been implicated in attacks against in the healthcare sector. They also have targeted U.S. satellite and defense industry.
Iranian hacktivists have historically targeted the US as a result of geopolitical conflicts. These attacks are seen across industries in the U.S., Israel and other western nations. While past performance is not an indicator of future behavior, and we have not yet seen indications of increased targeting by Iranian actors, organizations are encouraged to review their security posture and ensure that they are prepared for the potential for attacks from Iranian-sponsored and aligned actors.
