Capturing Recent Activities and Attack Trends of Iranian Hackers

Iranian threat actors are known for their abilities to disrupt critical infrastructure, target government organizations, and compromise large corporate networks. Their primary purposes of attacks are to cause damage, steal information, perform cyberespionage, and hit targets with ransomware attacks.

According to Bloomberg, the hackers from this country have refined their techniques in 2019 to become effective at attacks that can yield more just financial benefits.

What’s the latest update?

  • In April 2020, the ill-famed OilRig group aka APT34 revealed a revised version of a backdoor tool called RDAT that uses email as a C2 channel, with attachments to hide data and commands inside images.
  • In May 2020, the group also added a new tool called DNSExfiltrator to its hacking arsenal. With this, the group becomes the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

What does this indicate?

The incorporation of new tools and malware indicates that enterprises need to consider the ever-changing threat landscape as hackers adjust and reconfigure to create threats that will better penetrate and disrupt IT environments.

Other observed attack trends

  • In mid-August, the FBI issued a security alert about the Fox Kitten threat actor group targeting vulnerable F5 network devices. With this, the group aimed at launching attacks against the U.S. private and government organizations.
  • Starting July 2020, Charming Kitten made a comeback with a new cyberespionage campaign that impersonated Persian-speaking journalists via WhatsApp and LinkedIn. The targets of the campaign were Israeli scholars from Haifa and Tel Aviv Universities and U.S. government employees.
  • In June, a group of low-skilled hackers operating out of Iran launched attacks against companies in Asia with a version of the Dharma ransomware. As per the Group-IB report, the group used publicly-available hacking tools to target companies in Russia, Japan, China, and India.

What else?

Apart from launching attacks, the Fox Kitten group has also been spotted selling access to compromised corporate networks on an underground hacking forum, since at least July 2020. Crowdstrike highlights that the group is merely trying to build a new channel for generating revenue and monetize networks that have no intelligence value for Iranian intelligence services.      

Final words

Gone are the days when cyber threats were merely an IT issue. The scale and motives of cyberattacks showcased by Iranian hackers have undergone such major transformation that they can put organizations - of all types and sizes - at risk without advance warning. With their cyber capabilities growing bigger and stronger over time, IT teams cannot stand alone, and hence, cybersecurity requires an organization-wide commitment.