Know Your Adversary™: Iran

While researching advanced persistent threats (APTs), the common analytic angle has always been to identify malware and infrastructure techniques, tactics, and procedures (TTPs), and to develop detections. While this is effective for big player APTs such as Russia and China, it results in a game of whack-a-mole as blocking known TTPs necessitates identifying new ones. Without gaining an understanding of the human factors involved, it becomes like an endless game of cat and mouse.
Iran presents an interesting challenge in the realm of both cyber and physical security due to its ideologically-inspired geopolitical objectives. Further, international sanctions caused widespread inflation and volatile economic growth. The combination of these factors is extremely important to understand when looking at Iranian state sponsored actors.

When assessing the Iranian APT, we must take a different approach to that of evaluating more traditional APT groups like China and Russia. We must look at the Iranian APT in a more holistic, geopolitical fashion to truly understand their operations, not just the malware and associated infrastructure. It soon becomes evident that various TTPs overlap. Iranian APT TTPs are dictated and restricted by a single, central authority, with a relatively small pool of talent that is motivated to increase its financial standing. Through identification analysis, we can end the vicious whack-a-mole cycle and begin to predict the future moves of this small but agile APT.

The Ministry of Intelligence and Security (MOIS) is Iran’s primary intelligence and state security apparatus, and by design is intricately woven into various facets of the Iranian cyber agenda. This is defined by the Islamic Republic of Iran’s constitution, which establishes the Ministry. Article 1 Clause 1 requires military organizations to coordinate with the Ministry on military intelligence matters. Article 1 Clause 2 requires institutions, governmental companies, military organizations, and police forces to gather and share information with the MOIS while granting it the power to levy requirements upon those same organizations. These articles create the foundation for a more dynamic APT group.

The Iranian government deeply mistrusts its own people and is constantly making decisions with a view towards regime survival. This mistrust greatly reduces the pool of talented cyber experts available to the government. This lack of trusted talent therefore forces collaboration among tight inner circles of Iranian cyber actors and various cybersecurity companies within the country. As dictated by Article 1 Clause 2 of the Iranian constitution, we can see documented instances of the MOIS utilizing the Rana Institute and Raha Corp, which has been posited to be an MOIS front company. Reliance upon contractors and a small talent pool inevitably leads to common tactics, techniques, procedures, code, and infrastructure.

Everyone wishes to increase their social and financial standing. This is especially true in Iran, where working-level government wages are relatively low, the currency is subject to wide fluctuation, and the natural entrepreneurial spirit of Iranian culture inspires many skilled workers to maximize their income beyond one paycheck. These same factors create a fluidity within the cyber activity of Iran. Actors, from government operators to contractors and individuals, can easily move between groups, taking along their tactics and tools, making attribution to one specific organization quite complex.

Evidence of this can be derived through an observed uptick in Iranian cyber activity focusing on industrial control systems and critical infrastructure operators within the energy and petrochemical industry. This target space is not outside the normal realm of Iranian cyber activity, but it was in this space that the sharing of APT33 and 34 infrastructure was first observed. As Iran tries to privatize its own enterprises in this sector, many Iranians are trying to raise their financial standing by staying on top of the latest technologies, following the money, so to speak, including those in the MOIS inner circle.

What does this mean for the TTPs of the Iranian APT looking towards the future? We expect more and more evident collaboration among the various Iranian actors as they struggle to do more with less amid heightened sanctions. As Iran aims to bolster its cyber espionage and warfare capabilities, we expect to see a continued increase in targeting industrial control systems manufacturers and critical infrastructure operators within the energy and petrochemical industry.

This directive will likely serve two purposes. The first is intelligence gathering on critical assets and the acquisition of footholds within networks, gaining insight into pricing and operations. The second is a more destructive motivation, where Iran seeks to deploy malware to targeted locations maximizing effect.

Ever since the Stuxnet infections affecting the nuclear centrifuges in Natanz, Iran has desired to possess a kinetic cyber weapon. We see this in their development and continued use of “wiper” style attacks, which, while simplistic, are effective. What is important to note here is Iran’s willingness to perform offensive cyber operations in areas where they see socioeconomic pressure, not just military aggression, leading to a consistent threat from these interconnected groups.

It is important for researchers tracking threats from Iran to keep in mind that while there are distinct APT groups in the country, their tactics, motives, and timing for attacks are increasingly likely to overlap. Further, security teams need to recognize that Iranian actor groups are equally likely to respond to economic incentives as national security ones, and their geopolitical reactions do not reflect the same level of calculation and patience seen from Russian and Chinese APTs. Staying on top of Iranian actors is challenging enough, but to properly defend your environment, especially as a company in an industry the Iranians traditionally target, consistent vigilance against the broader Iranian TTPs should produce better results than a focus or concern on one specific actor. The best option is to know your adversary.