Iran’s government-affiliated hacking groups are among the most prolific in the world. While not considered the most sophisticated attackers, they are still a formidable foe for enemies in the Middle East, Europe, and North America.

Backed by the despotic regime

Intelligence indicates many of Iran’s hacker divisions are part of the Islamic Revolutionary Guard Corps (IRGC). The IRGC is responsible for quelling internal political strife and has an unsavory reputation for violently suppressing protests against the current regime[1]. The Corps initially introduced hacker groups to spy on citizen dissidents, but their responsibilities soon grew. Today, they still perform domestic monitoring activities but also engage in global cybercrime efforts, including international espionage and ransomware deployment.

Subfactions galore

Most state-sanctioned hacking enterprises form subgroups within the overarching military or political hierarchy. Iran is no different, employing at least half a dozen Advanced Persistent Threat (APT) groups. Analysts believe some APTs are independent entities with sworn allegiance to Ali Khamenei, the Supreme Leader, while the state directly operates other units.

Known APTs

Fox Kitten

Fox Kitten, aka Pioneer Kitten, aka Parisite, is a well-known APT thought to be under government contract rather than explicit control.  Actors associated with the group recently put hacked corporate intelligence data for sale on the dark web[2]. This suggests Iran isn’t officially operating Fox Kitten, as the government would likely prioritize keeping the intelligence secret over a relatively small payment.

Fox Kitten uses freely-available open-source tools to exploit vulnerabilities in Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) software. Once they gain access to a system, they utilize SSH Tunnelling procedures to encrypt communication with implanted programs and prevent detection. Thus, Fox Kitten can control infected computers remotely to steal vast amounts of sensitive data.

They typically focus on high-value targets in the tech, defense, healthcare, engineering, government, and financial sectors. The bulk of attacks is against organizations in North America and Israel, which offers another clue as to their origins.

Charming Kitten

Charming Kitten, aka Phosphorus, aka Newscaster, is an APT that has been active since 2014[3]. The group is most known for two highly-publicized events.

  • They are the group linked to United States defector Monica Witt. Witt is a former U.S. Air Force intelligence agent who renounced the United States, defected to Iran in 2013, and provided their government with classified intel[4]. She is now working with Charming Kitten to target susceptible military personnel for further espionage.
  • A hacker now understood to be affiliated with Charming Kitten was responsible for the 2017 HBO hack[5]. This was a famous incident where the script for a future’ Game of Thrones’ episode leaked, spoiling it for fans everywhere. Not exactly state secrets, but an embarrassing situation nonetheless. In a strange turn, the United States Department of Justice contends that both Witt and the HBO hacker work closely together at the moment.

Charming Kitten uses phishing techniques to impersonate trustworthy entities. They mainly target journalists, activists, academics, and government institutions with their deceptive campaigns. The hackers steal their victims’ account information while analyzing their contacts.

Rocket Kitten

Rocket Kitten (what’s with these cute codenames?), aka TEMP.Beanie, aka Timberworm, is a state-operated APT that focuses on espionage against Iran’s Middle Eastern enemies and internal opposition.  According to research by the cybersecurity firm Checkpoint, nearly 50% of its activity centers around Saudi Arabia[6].

The group favors spear phishing and social engineering to compromise their victims. They are noted to be unrelenting in their attacks once they set an objective. This means that even though their methods aren’t very advanced, their overall success rate is high. It only takes one employee off their game for a day to open up a vulnerability in a network.

Rocket Kitten’s most recognized achievement came in 2016 when they successfully hacked Telegram, the popular private messaging client[7]. Private communication is something very valuable in countries without free speech like Iran. Rocket Kitten exploited an account activation policy to gain access to over 20 million Iranian Telegram accounts. It undoubtedly led to a crackdown on anti-government speech.

Needless to say, these kittens have claws! There are even more APTs from Iran, and you can read a brief overview of them here.

2020 incidents

If you only read about the most publicized Iranian cyberattacks, you might think they’ve slowed down recently. In reality, 2020 was a banner year for them! Even if they didn’t grab the world’s attention at large, there were still plenty of interesting developments.

August 2020:

In August, the FBI released a statement claiming Fox Kitten uses known exploits to breach networks worldwide before the organizations can patch the vulnerabilities[8]. This means the hackers don’t even have to probe for unknown (or 0-day) exploits. They simply wait until cybersecurity professionals disclose weaknesses and move quickly to strike high-priority targets. According to the FBI, Iran breached two major companies in 2020 by using these methods. Unfortunately, the agency was not able to disclose the names of the organizations.

September 2020:

 The United States Department of Justice officially indicted three state-sponsored Iranian hackers for a series of attacks on American satellite companies[9]. It is uncertain which APT the alleged culprits belonged to, but they know at least one of them is a member of the IRGC. Posing as employees of the organization they wished to attack, they bombarded legitimate employees with emails and deceived them into clicking on infected attachments. Again, the U.S. government didn’t disclose any specific breached organizations but did say the hackers made off with intellectual property from multiple companies located in the U.S. and abroad.

October 2020:

In late October, Charming Kitten showed that Iran’s cyberwarfare division has a strong sense of irony (Iran-y?)  by attacking attendees of the upcoming Munich Security Conference[10]. They used fake emails and websites made to look like official communications from conference representatives to steal credentials and personal information. Many diplomats and attendees fell for the ruse and exposed their information to Iran’s government. Who needs a security conference when Iran is educating officials for free?

Data protection

It may not be something you think about daily, but it’s an undeniable fact we’re in a global war. It’s just a cyberwar rather than traditional aggression. The participants have replaced tanks and aircraft with computers and cellphones. This seemingly unending conflict plays out just beneath the surface of society. Civilians rarely notice, but those enlightened with the truth can see the consequences everywhere.

Malicious, state-sponsored actors battle against each other to steal secrets and confidential data from their enemies. In the case of Iran, their APTs don’t even use sophisticated techniques[11].

Most of their operations utilize open-source or publically-available software. They crack VPN and RDP programs with brute force password guessing. Their ransomware deployments are non-proprietary Ransomware-as-a-Service (RaaS) frameworks purchased from more competent groups.

In comparison to hackers in China or Russia, Iran is downright second-rate. Yet, they’re still thriving. This fact alone should be eye-opening to people and organizations around the world. It’s time to get serious about securing your data.

AXEL’s commitment

AXEL is dedicated to providing industry-leading data sharing and storage solutions. Our platform, AXEL Go, combines three state-of-the-art technologies to ensure your files are stored and shared securely. Utilizing blockchain technology, the InterPlanetary File System (IPFS), and encryption, you can finally have peace of mind that your files are private and safe. We have options for all types of users, whether for personal or enterprise roles. Download AXEL Go today for free. Our basic tier has 2GB of online storage and enough network fuel for thousands of typical shares. In the age of cyberwarfare, you need the best tools possible to protect yourself and your organization. Don’t settle for less.

 

 

[1] Yaghoub Fazeli, “Soleimani directly involved in suppressing Iran protests: Former IRGC General”, Al Arabiya English, Feb. 10, 2020, https://english.alarabiya.net/en/News/middle-east/2020/02/10/Soleimani-directly-involved-in-suppressing-Iran-protests-Former-IRGC-General

[2] Catalin Cimpanu, “Iranian hackers are selling access to compromised companies on an underground forum”, ZDNet, Sept. 1, 2020, https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/

[3] “Charming Kitten”, Mitre, Jan. 16, 2018 , https://attack.mitre.org/groups/G0058/

[4] “Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged with a Cyber Campaign Targeting Her Former Colleagues”, The United States Department of Justice, Feb. 13, 2019, https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber

[5] Daniel Victor and Sheera Frenkel,  “Iranian Hacker Charged in HBO Hacking That Included ‘Game of Thrones’ Script”, The New York Times, Nov. 21, 2017, https://www.nytimes.com/2017/11/21/business/hbo-hack-charges.html

[6] “Rocket Kitten: A Campaign With 9 Lives”, Check Point Software Technologies, https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

[7] Joseph Menn and Yeganeh Torbati, “Exclusive: Hackers accessed Telegram messaging account in Iran – researchers”, Reuters, July 27, 2016, https://webcache.googleusercontent.com/search?q=cache:DE8XABScILkJ:https://ar.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM+&cd=5&hl=en&ct=clnk&gl=us

[8] Catalin Cimpanu, “FBI says an Iranian hacking group is attacking F5 networking devices”, ZDNet, Aug. 10, 2020, https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/

[9] Department of Justice, “State-Sponored Iranian Hackers Indicted for Computer Intrusions at U.S. Satellite Companies”, U.S. DOJ, Sept. 17, 2020, https://www.justice.gov/opa/pr/state-sponsored-iranian-hackers-indicted-computer-intrusions-us-satellite-companies

[10] Laurens Cerulus, “Iranian hackers target top diplomats and security officials”, Politico, Oct. 28, 2020, https://www.politico.eu/article/iranian-hackers-target-munich-security-conference-crowd/

[11] Brooke Crothers, “Unsophisticated Iranian hackers armed with ransomware are targeting companies worldwide”, Fox News, Aug. 26, 2020, https://www.foxnews.com/tech/unsophisticated-iranian-hackers-armed-with-ransomware-are-targeting-companies-worldwide