SOC Incident Toolkit
Back to Campaigns
Hackers Behind the Iran

Hackers Behind the Iran

IranMuddyWaterOilRig

The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age

Indicators of Compromise

Domains (1198)

calendas.rubokujanai.ruatlanticos.siteagaricusa.onlinealligatori.xyzartemisian.xyzbuffalor.rucheric.rucyrestinae.onlineasdorta.ruarianos.rucorolain.rucultiventris.onlinebitsbitsl.spaceachalinus.onlineadonisi.xyzanguisa.xyzbobotal.rucereusi.ruarachnidas.ru+1178 more

Hashes (1159)

a9bfa4dd1547341d4d2ba29bbec4603e1dda312d2ab56ee4bb313c75e50969dcae05bb40000bc961ce901c082c3c2adb8bd9d8c4cf3f1addc4e75db6c498479aad1f796b3590fcee4aeecb321e45481cac5bc022500da2bdc79f768d08081a29a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3eab2547a7b8603c232b226c4c6c8a5696803997a275d46d4d668d35da695b45fca7955a8ed1a3c4634aed8a353038e5ac39412a88481f453c56c9b9cf7479c342a707e779e5b228f670ed09777ccacfb75af8a36c34323af7790290d70bca0083ac4ea751ca1382550efb2d3f4df9242f4541836b0e82deb49847f763afdf20caa20e38bacc979a5aa18f1954df1a2c0558ba23cdc1503af0ad1021c330f1e455a67e5d562e754426e061c74b04af19d8f59a9bfe5134d5bb6ed4d429d022840aa6867e9086a8f713a962238204a3266185de2cc3c662fba8d79f0e9b22ce8dd6ad5759e59dde3338a7c352417331a2faf1465c20205aa865fd474060f7bac8c7a21ed6591dcd2a38d3e9f26b8cf36197704a5507da3dd14fee95fbf247bc9ebaa60df90504735f4e424ec0842e328181d7e93ac9ecd8193e892584871643bec7f13dab7d9ce88ddc0c80c2b9c5f422b5e78a4ac2af9e94e7ae2c8e8d7099c6449562dc78cd3ce325e7d70da58773740ce9b97d421e01a808bf62e8eb4534c1fc91c7158e1faac57dd7450f285a31041c7fefce7f2e4088ce396fd146a79518717c3564cd166822be4932986cb8158409+1139 more

IPv4 (830)

114.97.242.164167.172.53.167103.12.163.93159.48.53.178171.22.76.50112.21.128.253176.118.165.76179.43.168.174178.76.229.77178.234.135.45125.108.169.71147.182.169.247157.230.96.56109.227.125.112185.175.158.27118.249.53.26185.168.9.109185.102.217.160178.169.151.144159.223.20.16+810 more

APT Groups

Cyber fighters of Izz Ad-Din Al Qassam

Iran, Islamic Republic of

CHRYSENE

Iran, Islamic Republic of

COBALT DICKENS

Iran, Islamic Republic of

TRACER KITTEN

Iran, Islamic Republic of

CopyKittens

Iran, Islamic Republic of

MuddyWater

Iran, Islamic Republic of

Fox Kitten

Iran, Islamic Republic of

ELECTRUM

Sands Casino

Iran, Islamic Republic of

MAGNALLIUM

Iran, Islamic Republic of

Cadelle

Iran, Islamic Republic of

APT39

Iran, Islamic Republic of

Infy

Iran, Islamic Republic of

Magic Kitten

Iran, Islamic Republic of

Sima

Iran, Islamic Republic of

Madi

Iran, Islamic Republic of

Notes

<br><div><br></div><div>Iran’s investment in developing its cyberwarfare capabilities fits into Iran’s national security strategy that relies extensively on asymmetric warfare. Iran has honed this strategy since the end of the 1980- 1988 Iran-Iraq War, a war that cost Iran over 300,000 lives and devastated the Islamic Republic’s economy and infrastructure. The war shaped the worldview of the network of IRGC officers who served in the war and who form the core of Iran’s military elite to this day, hardening their enmity toward the U.S. and inculcating an aversion to head-to-head combat. As a result, Iran sought asymmetric response capabilities that would enable it to prevail in conflict with stronger powers.</div><br><br><br><br><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; color: rgb(51, 51, 51); font-family: &quot; font-size: 16px; width: 844.9px; height: 312px; margin-right: auto; margin-left: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;">Publication Date</strong></p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;">Title</strong></p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 630px;"><strong style="box-sizing: border-box;">Description</strong></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">September 23, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-264a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Iranian State Actors Conduct Cyber Operations Against the Government of Albania</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">FBI and CISA&nbsp;have released&nbsp;this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September, 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks.&nbsp;</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">September 14, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-257a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">FBI, CISA, NSA,&nbsp;USCC, CNMF,&nbsp;the Treasury, ACSC, CCCS, and the NCSC highlights&nbsp;continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).&nbsp;</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">February 24, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA, FBI, CNMF, NCSC-UK, NSA Malware Analysis Report: MAR–10369127–1.v1 – MuddyWater</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA, FBI, FNMF, NCSC-UK, and NSA have released a joint MAR providing detailed analysis of 23 files identified as MuddyWater tools.&nbsp;</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">February 24, 2022</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA-FBI-CNMF-NCSC-UK-NSA Joint Cybersecurity Advisory: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA, FBI, CNMF, NCSC-UK, and NSA have released a joint Cybersecurity Advisory highlighting a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">November 17, 2021</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.us-cert.gov/ncas/alerts/aa21-321a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA-FBI-ACSC-NCSC Joint Cybersecurity Advisory:&nbsp;Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA, FBI, ACSC, and NCSC have released a joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain initial access in advance of follow-on operations. The Iranian government-sponsored APT actors are actively targeting a broad range of multiple U.S. critical infrastructure sectors as well as Australian organizations.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">July 20, 2021</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ics/jsar/JSAR-12-241-01B" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">U.S. Government attributed previously published activity targeting industrial control systems to Iranian nation-state cyber actors.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">October 30, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-304a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA and FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA and FBI released a Joint CSA on an Iranian APT actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The Advisory provides indicators of compromise (IOCs) and recommended mitigations for affected entities.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">October 22, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-296b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA-FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actors Threaten Election-Related System</a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA and FBI released an Advisory warning about Iranian APT actors likely intent on influencing and interfering with the 2020 U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.</li></ul></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">September 15, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA-FBI Joint Cybersecurity Advisory: Iran-Based Threat Actor Exploits VPN Vulnerabilities</a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">MAR-10297887-1.v2 – Iranian Web Shells</a><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;">&nbsp;</p></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA and FBI released a Joint CSA on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. The Advisory analyzes the threat actor’s tactics, techniques, and procedures (TTPs); IOCs; and exploited Common Vulnerabilities and Exposures.</li><li style="box-sizing: border-box;">The MAR details the functionality of malicious files—including multiple components of the China Chopper Web Shell—used by Iranian-based malicious cyber actors.</li></ul><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;">&nbsp;</p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;">January 06, 2020</td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-006a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad</a></li><li style="box-sizing: border-box;"><a href="https://cisa.gov/sites/default/files/publications/CISA-Insights-Increased-Geopolitical-Tensions-and-Threats-S508C.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Insights: Increased Geopolitical Tensions and Threats</a><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;">&nbsp;</p></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;">In light of heightened tensions between the United States and Iran, CISA released an Alert and an “Insights” analysis providing Iranian government and affiliated cyber threat actor TTPs and an overview of Iran’s cyber threat profile, respectively.</li><li></li></ul></td></tr></tbody></table><br><div><br></div><div><div>The Attacks:<br><br></div><div>The following accounting of the most significant Iranian cyber attacks, either attempted or completed, shows the evolution in Iran’s increasingly sophisticated and bold cyberwarfare activities. The incidents recounted also give an indication of how cyberwarfare fits into Iranian statecraft and national security strategy. Even at times of relative stability or low tensions, Iran has still been active in the cyber domain. Iran’s cyber activities tend to escalate in response to provocations and heightened tensions. On occasion, Iran has resorted to crude, quick strikes when it has sought to immediately respond to a provocation, such as the imposition of new sanctions. Other Iranian malign cyber activities, particularly those of its primary hacker collectives, demonstrated slow and methodical planning involving the strategic selection of targets, the development of custom malware, and protracted periods of infiltration before the deployment of its cyberweapons.</div></div><div><br></div><div><div>Iranian Hacker(s):</div><div><br></div><div>Following the 2010 Stuxnet attack on Iran’s nuclear program, Iran rapidly began investing in and improving its offensive cyberwarfare capabilities, which ushered in increasingly sophisticated attacks. In September 2011, an Iranian hacker (or hackers) claimed credit for an attack that compromised the Dutch certificate authority, DigiNotar, and issued fake security certificates, which communicate to your web browser that the site you are visiting is the site you intended to visit. The hack effectively gave Iran the ability to access the Gmail accounts and spy on the encrypted communications of 300,000 Iranian users. The attack was claimed by a hacker who claimed to have acted alone and who chose to help his government monitor the communications of his fellow citizens, yet it appears that Iranian intelligence was involved as well. The UK Government Communications Headquarters (GCHQ) provided a post-mortem account of the DigiNotar event in which it alleged that an</div></div><div><br></div><div><br></div><div><br></div>

Mitigation

<div><br></div><div>Mitigations:</div><div><br></div><div>FBI and CISA recommend organizations apply the following best practices to reduce risk of compromise:&nbsp;</div><div><br></div><div>Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.</div><div>Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.</div><div>If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known exploited vulnerabilities.</div><div>Monitor for unusually large amounts of data (i.e. several GB) being transferred from a Microsoft Exchange server.</div><div>Check the host-based indications, including webshells, for positive hits within your environment.</div><div>Maintain and test an incident response plan.</div><div>Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.</div><div>Properly configure and secure internet-facing network devices.</div><div>Do not expose management interfaces to the internet.</div><div>Disable unused or unnecessary network ports and protocols.</div><div>Disable/remove unused network services and devices.</div><div>Adopt zero-trust principles and architecture, including:</div><div>Micro-segmenting networks and functions to limit or block lateral movements.</div><div>Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.</div><div>Restricting access to trusted devices and users on the networks.</div>