Introduction
Cyber security experts have identified four different Advanced Persistent Threat (APT) actors attributed to the Islamic Republic of Iran. These actors are identified forensically by common tactics, techniques, and procedures, as well as similarities in their code and the industries that they target; this attribution is not based on human intelligence inside the Iranian government. Chinese APTs are commonly known as “Pandas;” Russian APTs as “Bears;” and Iranian APTs as “Kittens” (yes, really).
This page is maintained by MEI's Cyber Program.
“Due to the obfuscation techniques, and government control over the Iranian media and internet, we don’t have insight into which APT is Ministry of Intelligence vs. IRGC. What we can do is track their tools like malware, efforts like spear-phishing and brute-forcing, and maintain awareness to increase protection.”
Iranian APTs
-
APT 33
APT 33
Also known as Elfin, Refined Kitten
First active: 2013
Last observed: 2019
Malware
- SHAPESHIFT
- DROPSHOT/Stonedrill
- TURNEDUP
- NANOCORE
- ALFA Shell
- NETWIRE
Initial attack vector
- Spearphishing
- Recruitment-themed
- Fake job descriptions & websites
- Malicious .hta (HTML executable) files
- Other tools & methods
- Brute-force attacks
- Password spraying
- Port 443
- Mimikatz
- FTP exfiltration
- Command and control (C&C/C2)
- Domain masquerading
- Common vulnerabilities & exploits (CVEs)
Additional Information
- Goal: Strategic espionage
- Countries targeted:
- U.S.
- Saudi Arabia
- South Korea
- Industries targeted:
- Aviation (civilian & military)
- Energy
- Petrochemical
- Further reading:
-
APT 34
APT 34
Also known as Helix Kitten, OilRig, GreenBug, IRN2
First active: 2014
Last observed: 2019
Malware
- DNSPIONAGE
- PICKPOCKET
- VALUEVAULT
- LONGWATCH
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Academia-themed conversations
- Malicious document (.doc) delivery
- Use of various social media platforms for the above
- Other tools & methods
- Powershell
- HTTP GET and POST requests
- Open SSH tunnel for remote RDP
- Mimikatz
- Microsoft Office vulnerability abuse
- Common vulnerabilities & exploits (CVEs)
Additional information
- Goal: Strategic/cyber espionage
- Countries targeted:
- Middle East (in particular: Lebanon, UAE)
- Further reading:
-
APT 35
APT 35
Also known as Rocket Kitten, Charming Kitten, Newscaster, Phosphorus, Saffron Rose, Ajax, Magic Hound
First active: 2014
Last observed: 2019
Malware
- MAGIC HOUND
- HAVIJ
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Password Recovery Impersonation
- SMS Spearphishing
- Use of various social media platforms for the above
- Other tools & methods:
- Two-Factor Authentication Defeat
- Keylogging
- Mimikatz
- Microsoft Office vulnerability abuse
Additional information
- Goal: Strategic espionage
- Countries targeted:
- Middle East (especially Saudi Arabia)
- U.S.
- Industries targeted:
- Military
- Government
- Media
- Energy
- Defense Industrial Base
- Engineering
- Telecommunications
- Dissidents
- Further reading:
-
APT 39
APT 39
Also known as Rocket Kitten, Charming Kitten, Newscaster, Phosphorus, Saffron Rose, Ajax, Magic Hound
First active: 2014
Last observed: 2019
Malware
- SEAWEED
- CACHEMONEY
- POWBAT
Initial attack vector
- Spearphishing
- Malicious attachments
- URLs infected with POWBAT
- Use of various social media platforms for the above
- Other tools & methods:
- Vulnerable web servers
- Custom backdoors
- Mimikatz
- RDP, SSH, data compression before exfiltration
Additional information
- Goal: Theft of personal information to support Iranian priorities such as monitoring and tracking of individuals/dissidents
- Countries targeted:
- Middle East & Persian Gulf
- Spain
- U.S.
- Australia
- Industries targeted:
- Telecommunications
- Travel industries
- Further reading