Recently, there has been an uptick in activity from Iranian APTs and threat groups. In February 2022, CISA, the Federal Bureau of Investigation (FBI), the U.S. Cyber Command Cyber National Mission Force’ (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) released a joint statement regarding their observation of Iranian government-sponsored APT MuddyWater – an Iranian APT observed targeting the defense, oil and natural gas, local government, and telecommunications industries.
By August 2022, another Iranian APT named APT35 was seen using a data extraction tool called Hyperscrape to steal data from well-known email providers (Yahoo!, Google, etc.). The APT was seen attacking a wide range of targets, using a new strain of malware. Now, researchers have observed more Iranian threat actors and APTs scanning for and exploiting well known vulnerabilities.
CISA and the FBI recently warned that Iranian threat actors have been consistently improving their offensive cyber capabilities and their attacks are intended to cause physical consequences. Let’s take a look at Iranian APT activity, recent attacks, as well as tactics and techniques.
Since 2015, APT42 has been responsible for over 30 cyberespionage attacks via credential harvesting. The threat actor has specifically targeted Australia, Europe, the Middle East, and the U.S. APT42 is known for deploying highly targeted spear phishing and surveillance operations in at least 14 countries.
According to the threat intelligence firm, Mandiant, APT42 could be operating on the behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-I0). IRGC tends to rely on contractors to execute different cyber operation missions.
Also, the threat actor has targeted corporate and personal email accounts to harvest credentials and infect Android devices with spyware. Parties within the U.S., Europe, Australia, and the Middle East have been targeted by APT42. Mandiant stated that APT42’s operations appear to be focused on organizations and people of interest to the Iranian government for foreign policy, domestic politics, and regime stability purposes.
Additionally, APT42 shares partial overlaps with APT35. Mandiant’s report on APT42 stated that that they can conclude with moderate confidence that the group operates on the behalf of the IRGC but originates from different missions based on their different targeting patterns, tactics, techniques, and procedures. The differences being the following:
Both APT42 and APT35 have used MAGICDROP (used to decrypt files from its .data section and writes them to the system’s Temp directory) and BROKEYOLK malware (a .NET downloader, which downloads and executes malicious software or malware from the hardcoded address of an adversaries’ C2 server), but the groups don’t share similarities regarding C2 infrastructure or how the groups use the malware.
It is also important to note that both APT42 and APT35 have links to a threat cluster tracked as UNC2448 by Mandiant. Additionally, Microsoft and Secureworks disclosed APT42 as a Phosphorus subgroup deploying ransomware attacks for financial gain via BitLocker.
Between May and June 2022, the Albanian government was attacked by threat actors from Iran. The attack was in response to an upcoming conference in Albania being hosted by the Iranian opposition group Mojahedin-e Khalqs. After the attacks, Albania had to shut down online access to several government services. The threat actors deployed ransomware onto the networks of the Albanian government – leaving an anti-Mujahideen message on all desktops.
Also, it was suspected that the attacks included an unknown backdoor called ChimneySweep and a ransomware tool called RoadSweep. Researchers at Mandiant discovered that on the day after the Albanian attacks, ZeroClear malware was uploaded to a public malware registry. This malware has previously been linked to Iranian hackers. At the time, researchers did not link these attacks to a particular threat group.
However, in June 2022, HomeLand Justice created a website and several social media profiles with anti-MEK messages. By July 2022, HomeLand Justice took responsibility for the cyber attacks on the Albanian government infrastructure. The attack destroyed sensitive government data and disrupted government services to the public. HomeLand Justice even posted videos of the attack on their website. Also, via social media, HomeLand Justice advertised Albanian government information for release in a .zip file or in a video of a screen recording of confidential documents. The advertisements continued into August 2022.
In September 2022, the Albanian government became the victim of, yet another cyber attack launched by Iranian threat actors – using similar tactics, techniques, and malware. These attacks were likely in response to severed diplomatic ties between Albania and Iran, and Albania asking all Iranian diplomats and embassy staff to leave the country after July’s cyber attack. This is the first time a country has severed diplomatic relations because of a cyber conflict.
As a result of the attacks, the U.S. imposed sanctions on Iran’s Ministry of Intelligence and its minister for allegedly engaging in other cyber activities against the U.S. and its allies (Albania).
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.” - Brian E. Nelson – Under Secretary of the Treasury for Terrorism and Financial Intelligence (Treasury.gov)
Their main goal is to harvest credentials from email accounts, track Iranian government dissidents, and steal documents and research related to Iran. APT42’s activity primarily focuses on the Middle East; however, they have targeted journalists, government officials that oppose the IRGC, and Western think tanks.
Targeting high-priority victims inside and outside of Iran, APT42 is a threat to foreign policy officials. The group’s surveillance activity includes the surveillance of Iranian dual-nationals, dissidents inside Iran and those who fled Iran for their safety, as well as prior government officials. APT42’s credential harvesting campaigns include detailed social engineering, with one case lasting 37 days. The threat actor masqueraded as a well-known journalist from a large U.S. media company and requested an interview from their target. The APT engaged the target for 37 days before directing them to a phishing landing page.
In addition to sophisticated social engineering tactics, APT42 collects multi-factor authentication (MFA) codes to bypass authentication. In May 2017, the group targeted an Iranian opposition group that operated out of Europe and North America. They sent the group’s senior leadership spear-phishing emails that mimicked legitimate Google correspondence. The correspondence contained links to fake Google Books pages, which directed the victims to sign-in pages. The sign-in pages attempted to steal the victim’s credentials and MFA authentication codes.
Another way APT42 exploits their targets is by information theft, such as keylogging and cookie stealing. Avertium’s Cyber Threat Intelligence Team (CTI) was able to analyze two malware samples, Dostealer (aka winrarcontainer) and SilentUploader (a DLL). Dostealer is primarily used for credential theft in information stealing. Reverse engineering of the executable reveals several of the built-in functions of the malware, including:
Image 1: DoStealer
According to the CTI team, the cooker stealer functions rely on a splite DLL, which is dropped by the executable to ensure functionality. Below, you will find the malware checking to see if the sqlite3.dll file exists and writing if it does not.
Image 2: Checking for splite3.dll
Below, you’ll find another code block that checks for and writes silentuploader, then sleeps to bypass antivirus detection before executing.
Image 3: Bypassing Antivirus Detection
APT42 also has custom backdoors and tools which include publicly available code copied directly from GitHub project. This likely means that the group may have limited in-house resources for developing malware. Some of the malware families utilized include the custom reconnaissance tool PowerPost and the PowerShell backdoor TameCat, as well as the VBA-based dropper TabbyCat. APT42 delivers the malware through malicious documents attached to spear-phishing emails. The Android malware used by APT42 is designed to monitor communications of victims and track their locations.
Image 4: Code for Keylogger Function
In the past, holding threat actors responsible and accountable for cyber attacks was difficult due to varying laws in different countries. In previous years, threat actors freely wreaked havoc on critical infrastructure in various countries, including the U.S. In December 2020, we saw the attack on SolarWinds – a widely used IT management software application leveraged by the U.S. government and by the security industry. Next, we witnessed DarkSide’s cyber attack on Colonial Pipeline, followed by REvil’s attack on Kaseya.
As a result of these devastating attacks, President Biden stated that one of his goals for 2021 was to strengthen the nation’s cyber security and bring other countries together to combat cybercrime and improve law enforcement cooperation. An Executive Order was administered to tackle cybersecurity challenges facing the U.S. Therefore, it is not shocking that the U.S. has decided to sanction Iran for attacking an ally (Albania).
The sanctions that the U.S. has imposed upon Iran include freezing the assets of the targeted individuals and entities in the U.S., thus making it illegal for American citizens to do business with Iran. Nevertheless, Iran has rejected the sanctions and believes that they are politically motivated.
“Like previous illegal US sanctions against the Ministry of Intelligence, this new label will never be able to create the slightest hinder in the determination of the Iranian people’s security servicemen in this proud institution,” – Nasser Kanaani (Iran’s Foreign Ministry spokesperson)
After Albania was attacked in July 2022, the U.S. government spent time working alongside private sector partners to help Albania mitigate and recover from the attack. Lately, the U.S. government has become quicker in responding to cyber attacks and attributing state-backed attacks.
In May 2022, the U.S. government was able to attribute a cyber attack on the satellite communications provider, Viasat, to the Russian government. In the summer of 2021, they were able to attribute Microsoft Exchange server attacks to Beijing in just three months. In 2017, it took the U.S. government a lengthy eight months to pin the malware to a specific threat actor.
“Iran’s conduct disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict.” – The White House
The U.S. government plans to continue to hold malicious threat actors accountable and invites their partners and allies to join them in building a secure and resilient digital future. For every action, there is a reaction and cyber security professionals can only hope that Iranian state-backed actors won’t retaliate due to the new sanctions.
Threat actors like APT42 and HomeLand Justice can gain unlimited access to networks and systems, furthering reconnaissance. Avertium is here to keep your organization safe and to mitigate any attacks caused by bad actors:
Avertium & CISA Recommend the following when dealing with threat actors like HomeLand Justice:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.