
US Critical Sectors Disrupted by Iranian-Backed Cyberattacks on PLCs
Indicators of Compromise
No domains found for this campaign
APT Groups1
Summary of Actor:CyberAv3ngers is a sophisticated and well-funded threat actor group known for its targeted cyber-espionage activities. They have been active since at least 2015 and are believed to be state-sponsored. Their primary objectives include data exfiltration, surveillance, and disruption. General Features:CyberAv3ngers employ advanced persistent threats (APTs), leveraging zero-day vulnerabilities and custom malware. They are known for their stealth, sophisticated social engineering techniques, and long-term persistence in targeted networks. Related Other Groups: APT28,Sandworm Team,Fancy Bear Indicators of Attack (IoA): Use of specific C2 servers Phishing emails with high social engineering tactics Advanced obfuscation and encryption techniques Custom malware signatures Recent Activities and Trends: Latest Campaigns : The most recent campaign by CyberAv3ngers targeted healthcare organizations, using spear-phishing emails to deliver a new variant of their custom malware. This campaign has been linked to a significant increase in data exfiltration incidents. Emerging Trends : CyberAv3ngers have been observed to shift towards targeting cloud infrastructure with sophisticated credential stuffing attacks. Additionally, there is an uptick in their use of AI and machine learning algorithms to enhance their phishing and social engineering tactics.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTIONS REF
Remote Access Software T1663
ID | Name | Analytic ID | Analytic Description |
DET0624 | Detection of Remote Access Software | AN1689 | Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. |
AN1690 | Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. |
Data Manipulation T1641
ID | Name | Analytic ID | Analytic Description |
Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring. |