Introduction
Cyber security experts have identified six different groups attributed to the Islamic Republic of Iran. These actors are identified forensically by common tactics, techniques, and procedures, as well as similarities in their code and the industries that they target; this attribution is not based on human intelligence inside the Iranian government. Chinese Advanced Persistent Threat (APT) actors are commonly known as “Pandas;” Russian APTs as “Bears;” and Iranian APTs as “Kittens” (yes, really).
This page is maintained by MEI's Cyber Program.
“Due to the obfuscation techniques, and government control over the Iranian media and internet, we don’t have insight into which APT is Ministry of Intelligence vs. IRGC. What we can do is track their tools like malware, efforts like spear-phishing and brute-forcing, and maintain awareness to increase protection.”
Iranian APTs
-
APT 33
APT 33
Also known as Elfin, Refined Kitten
First active: 2013
Last observed: 2019
Malware
- SHAPESHIFT
- DROPSHOT/Stonedrill
- TURNEDUP
- NANOCORE
- ALFA Shell
- NETWIRE
Initial attack vector
- Spearphishing
- Recruitment-themed
- Fake job descriptions & websites
- Malicious .hta (HTML executable) files
- Other tools & methods
- Brute-force attacks
- Password spraying
- Port 443
- Mimikatz
- FTP exfiltration
- Command and control (C&C/C2)
- Domain masquerading
- Common vulnerabilities & exploits (CVEs)
Additional Information
- Goal: Strategic espionage
- Countries targeted:
- U.S.
- Saudi Arabia
- South Korea
- Industries targeted:
- Aviation (civilian & military)
- Energy
- Petrochemical
- Further reading:
-
APT 34
APT 34
Also known as Helix Kitten, OilRig, GreenBug, IRN2
First active: 2014
Last observed: 2019
Malware
- DNSPIONAGE
- PICKPOCKET
- VALUEVAULT
- LONGWATCH
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Academia-themed conversations
- Malicious document (.doc) delivery
- Use of various social media platforms for the above
- Other tools & methods
- Powershell
- HTTP GET and POST requests
- Open SSH tunnel for remote RDP
- Mimikatz
- Microsoft Office vulnerability abuse
- Common vulnerabilities & exploits (CVEs)
Additional information
- Goal: Strategic/cyber espionage
- Countries targeted:
- Middle East (in particular: Lebanon, UAE)
- Further reading:
-
APT 35
APT 35
Also known as Rocket Kitten, Charming Kitten, Newscaster, Phosphorus, Saffron Rose, Ajax, Magic Hound
First active: 2014
Last observed: 2019
Malware
- MAGIC HOUND
- HAVIJ
Initial attack vector
- Social Engineering, Social Media Phishing, Spearphishing
- Password Recovery Impersonation
- SMS Spearphishing
- Use of various social media platforms for the above
- Other tools & methods:
- Two-Factor Authentication Defeat
- Keylogging
- Mimikatz
- Microsoft Office vulnerability abuse
Additional information
- Goal: Strategic espionage
- Countries targeted:
- Middle East (especially Saudi Arabia)
- U.S.
- Industries targeted:
- Military
- Government
- Media
- Energy
- Defense Industrial Base
- Engineering
- Telecommunications
- Dissidents
- Further reading:
-
APT 39
APT 39
Also known as Chafer, Remix Kitten
First active: 2014
Last observed: 2019
Malware
- SEAWEED
- CACHEMONEY
- POWBAT
Initial attack vector
- Spearphishing
- Malicious attachments
- URLs infected with POWBAT
- Use of various social media platforms for the above
- Other tools & methods:
- Vulnerable web servers
- Custom backdoors
- Mimikatz
- RDP, SSH, data compression before exfiltration
Additional information
- Goal: Theft of personal information to support Iranian priorities such as monitoring and tracking of individuals/dissidents
- Countries targeted:
- Middle East & Persian Gulf
- Spain
- U.S.
- Australia
- Industries targeted:
- Telecommunications
- Travel industries
- Further reading
-
Rampant Kitten
Rampant Kitten
First active: 2014
Last observed: 2020
Malware
- Information stealing variants, primarily targeting KeePass and Telegram accounts of intended victims
- Dharma ransomware
Initial attack vector
- Employ information stealers to target credentials, personal documents, SMS, and Telegram messages
- An Android backdoor extracts two-factor authentication codes
- Phishing pages masquerading as distributors of fake accounts
- Bypassing two- and multi-factor authentication
- Other tools/methods: VPN exploitation
- CVEs
- CVE-2019-11510
- CVE-2019-19781
- CVE-2020-5902
Additional information
- Goals:
- Espionage
- Target and expose/dox dissidents/Iranian minorities
- Financial gain
- Countries targeted:
- Russia
- Japan
- China
- India
- Israel
- North America
- Industries targeted:
- Government
- Technology
- Defense
- Further reading:
-
Pioneer Kitten
Pioneer Kitten
Also known as Fox Kitten, PARISITE, UNC757
First active: 2017
Last observed: 2020
Initial attack vector
- Exploits unpatched vulnerabilities
- Webshells
- SSH Tunneling
- VPN Exploitation
- Other tools/methods: Sells access to compromised systems and networks
- CVEs
- CVE-2018-13379
- CVE-2019-11510
- CVE-2019-19781
- CVE-2020-5902
- Goals:
- Espionage
- Financial gain
- Countries targeted:
- Israel
- North America
- Middle East
- Industries targeted:
- Healthcare
- Government
- Technology
- Defense
- Further reading: