Introduction
Cyber security experts have identified eight different groups attributed to the Islamic Republic of Iran. These actors are identified forensically by common tactics, techniques, and procedures, as well as similarities in their code and the industries that they target; this attribution is not based on human intelligence inside the Iranian government. Chinese Advanced Persistent Threat (APT) actors are commonly known as “Pandas,” Russian APTs as “Bears,” and Iranian APTs as “Kittens” (yes, really).
This page is maintained by MEI's Strategic Technologies & Cyber Security Program.
“Due to the obfuscation techniques, and government control over the Iranian media and internet, we don’t have insight into which APT is Ministry of Intelligence vs. IRGC. What we can do is track their tools like malware, efforts like spear-phishing and brute-forcing, and maintain awareness to increase protection.”
Iranian APTs
-
APT 33
APT 33
Also known as Elfin, Refined Kitten
First active: 2013
Last observed: 2019
Malware
- SHAPESHIFT
- DROPSHOT/Stonedrill
- TURNEDUP
- NANOCORE
- ALFA Shell
- NETWIRE
Initial attack vector
- Spearphishing
- Recruitment-themed
- Fake job descriptions & websites
- Malicious .hta (HTML executable) files
- Other tools & methods
- Brute-force attacks
- Password spraying
- Port 443
- Mimikatz
- FTP exfiltration
- Command and control (C&C/C2)
- Domain masquerading
- Common vulnerabilities & exploits (CVEs)
Additional Information
- Goal: Strategic espionage
- Countries targeted:
- U.S.
- Saudi Arabia
- South Korea
- Industries targeted:
- Aviation (civilian & military)
- Energy
- Petrochemical
- Further reading:
-
APT 34
APT 34
Also known as OilRig, Helix Kitten, GreenBug, IRN2
First active: 2014
Last observed: 2021
Malware
- ZEROCLEARE
- DNSPIONAGE
- PICKPOCKET
- VALUEVAULT
- LONGWATCH
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Academia-themed conversations
- Malicious document (.doc) delivery
- Using LinkedIn messaging to send malicious links
- Use of various social media platforms for the above
- Other tools & methods
- DNS tunneling
- Powershell
- HTTP GET and POST requests
- Open SSH tunnel for remote RDP
- Mimikatz
- Microsoft Office vulnerability abuse
- Steganography
- DNS-over-HTTPS
- Common vulnerabilities & exploits (CVEs)
- CVE-2017-11882
- CVE-2017-0199
- CVE-2017-11774
Additional information
- Goal: Strategic/cyber espionage
- Countries targeted:
- Middle East (in particular: Lebanon, UAE)
- Further reading:
-
APT 35
APT 35
Also known as Newscaster, Rocket Kitten, Phosphorus, Charming Kitten, Saffron Rose
First active: 2014
Last observed: 2022
Ransomware use
- Momento
- Bitlocker
Malware
- PowerLess
- HAVIJ
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Password Recovery Impersonation
- SMS Spearphishing
- Use of various social media platforms for the above
- Other tools & methods:
- Two-Factor Authentication Defeat
- Keylogging
- Mimikatz
- Microsoft Office vulnerability abuse
- IP logging
- Ransomware
Additional information
- Goal: Strategic espionage
- Countries targeted:
- U.S.
- Saudi Arabia
- Other Middle Eastern countries
- Industries/groups targeted:
- Military
- Government
- Media
- Energy
- Defense Industrial Base
- Engineering
- Telecommunications
- Dissidents
- Further reading:
-
APT 39
APT 39
Also known as Chafer, Remix Kitten
First active: 2014
Last observed: 2020
Malware
- BITS 1.0 and 2.0
- VBS
- Autolt
- SEAWEED
- CACHEMONEY
- POWBAT
Initial attack vector
- Spearphishing
- Malicious attachments
- URLs infected with POWBAT
- Use of various social media platforms for the above
- Other tools & methods:
- Run the front company Rana
- Vulnerable web servers
- Custom backdoors
- Mimikatz
- SQL injections
- RDP, SSH, data compression before exfiltration
Additional information
- Goal: Theft of personal information to support Iranian priorities such as monitoring and tracking of individuals/dissidents
- Countries targeted:
- Middle East & Persian Gulf
- Spain
- U.S.
- Australia
- Industries targeted:
- Telecommunications
- Travel industries
- Further reading
- https://www.securityweek.com/us-imposes-sanctions-apt39-iranian-hackers
- https://blogs.infoblox.com/cyber-threat-intelligence/apt39-malicious-activity-and-tools/
- https://attack.mitre.org/groups/G0087/
- https://securityaffairs.co/wordpress/80450/apt/iran-apt39-cyberespionage.html
- https://malpedia.caad.fkie.fraunhofer.de/actor/apt39
-
APT42
APT 42
Also known as Crooked Charms, TA453
First active: 2011
Last observed: 2022
Malware
- VINETHORN
- PINEFLOWER
- BROKEYOLK
Initial attack vector
- Highly targeted spearphishing, social engineering, election meddling
- TAMECAT powershell backdoor
- Malicious document (.doc) delivery
- Via Google drive links
- Google books links
- Credential harvesting
- Other tools & methods:
- Google Takeout
- False registration and login pages
- Keylogging
- Cookie stealing
- Notable overlap with APT35 TTPs
Additional information
- Goal: Strategic espionage, surveillance
- Countries targeted:
- France
- U.S.
- Australia
- Middle East in general
- Industries targeted:
- Healthcare
- Media
- Education
- Civil society
- Further reading
-
Rampant Kitten
Rampant Kitten
First active: 2014
Last observed: 2020
Malware
- Information stealing variants, primarily targeting KeePass and Telegram accounts of intended victims
- Dharma ransomware
Initial attack vector
- Employ information stealers to target credentials, personal documents, SMS, and Telegram messages
- An Android backdoor extracts two-factor authentication codes
- Phishing pages masquerading as distributors of fake accounts
- Bypassing two- and multi-factor authentication
- Other tools/methods: VPN exploitation
- CVEs
- CVE-2019-11510
- CVE-2019-19781
- CVE-2020-5902
Additional information
- Goals:
- Espionage
- Target and expose/dox dissidents/Iranian minorities
- Financial gain
- Countries targeted:
- Russia
- Japan
- China
- India
- Israel
- North America
- Industries targeted:
- Government
- Technology
- Defense
- Further reading:
-
Pioneer Kitten
Pioneer Kitten
Also known as Fox Kitten, PARISITE, UNC757
First active: 2017
Last observed: 2020
Initial attack vector
- Exploits unpatched vulnerabilities
- Webshells
- SSH Tunneling
- VPN Exploitation
- Other tools/methods: Sells access to compromised systems and networks
- CVEs
- CVE-2018-13379
- CVE-2019-11510
- CVE-2019-19781
- CVE-2020-5902
- Goals:
- Espionage
- Financial gain
- Countries targeted:
- Israel
- North America
- Middle East
- Industries targeted:
- Healthcare
- Government
- Technology
- Defense
- Further reading:
-
Static Kitten
Static Kitten
Also known as MUDDYWATER, Seedworm
First active: 2017
Last observed: 2021
Malware
- POWERSTATS powershell trojan
- PowGoop
Initial attack vector
- Spearphishing
- Malicious document and file (.doc, .zip) delivery
- Malicious use of common open-source tools
- Other tools/methods: Powershell scripts, ScreenConnect, RemoteUtilities, custom backdoors, lateral movement within networks
- CVEs
- Goals:
- Espionage
- Data and document theft and exfiltration
- Regions/countries targeted:
- Israel
- Middle East
- Industries targeted:
- Government
- Tourism
- Telecom
- Further reading: