The increasing problem of hacking in Iran
Dear reader today I wish to talk to you about the increasing problem of hacking in Iran
The increasing problem of hacking in Iran began in December 2009 there are many reasons why someone decide to begin hacking, for some it is the allure of money it seems almost daily that company pay out millions of dollar to ransomware groups to release their data, for others it is purely a way to make a living. a 2021 poll of 429 universities in a middle east placed two Iranian universities in the top 10, from these places of education come the highly skilled and capable workforce, unfortunately with unemployment as high as 25% in 15 – 24 year old a lot of these young people find themselves turning to cyber crime in order to support their families some find work hacking for the government while others find employment with criminal gangs
with 58.42 million internet users in Iran as of january 2020 the threat of cyber attack from groups is ever-increasing and so it is important to try to understand who these people are and what they are trying to achieve
Before we talk about these groups let us look at timeline of hacking in Iran
Timeline of hacking in Iran
December 2009 – group called the Iranian Cyber Army deface twitters homepage
August 2010 – Stuxnet virus attack on Iranian nuclear power facilities
2011 – 2013 – DDoS attack targeting US financial institutes carried out in retaliation targeting some of Americas biggest banks
August 2013 – Iranian hackers take control of bowman dam outside New York
February 2013 – Sands Las vegas corporation hacked after a owner of the company advocated using nuclear weapon against Iran, Hackers brought down the company IT system and exposed customer detail
2013 -2017 – IRGC hackers stole 21 terabytes of documents and data from 144 universities among other global institutions
August 2017 – virus called shamoon was used to attack the Saudi aramco oil company
December 2018 – Iranian hackers were behind massive ransomware attack on us city of Atlanta
October 2019 – Iranian hackers attempt to hack US presidential campaign
2019 – 2021 – Increase in Iranian hacking activity with Charming Kittens Badblood campaign and MuddyWaters Earth Vetala campagin
This is only small glimpse of activity undertaken by Iranian cyber groups over the last 12 years
Iranian hacking group
When cyber security experts talk about hacking group they try to categories them by giving names such as bear for Russia panda for China Kitten for Iran. they call the most advanced groups APT which stands for advanced persistent threat. the hackers prefer to call themselves name such as Reveng3rs REvil and Darksiders. due to groups appearing and vanishing it is hard to keep track of them however the increasing problem of hacking in Iran has seen many new group causing damage to victim systems
We have put together list of groups that we believe originate from Iran
MuddyWater
The MuddyWater group is an APT that has been active since 2017 primarily they attack middle eastern country however they have been observed attacking surrounding nations and beyond including targets in India and the USA. MuddyWater attacks are characterized by the use of powershell based backdoor which they use for information theft and espionage. it is hard to ascertain if this group is backed by a government or simply a criminal gang. Their most resent attack was in February 2021 when they used spearfishing emails with embedded links to distribute malicious packages
Also known as: Seedworm TEMP Zagros Static Kitten TA450
Charming Kitten
Charming Kitten believed to be the government backed group was first seen in 2012 when they conducted a global surveillance and infiltration campaign. their primarily target seem to be academics, human rights advocates and members of international media where they seem focused on gaining information on specific individuals rather than capturing large amounts of data. recently Charming Kitten has been accused of masquerading as African and Oriental Scholars so as to solicit sensitive information
http://threatpost.com/apt-ta453-siphons-intel-mideast/167715/
Also known as: APT35 Ajax Phosphorus Newcaster Rocket Kitten
Foudre
Foudre believed to be another government sponsored group has been around for more than decade but after sometime laying dormant it has recently become active again. The group has been observed operating globally using malware to target government entities private companies as well as civil society and dissidents.
Also known as: Prince of Persia Infy Operation Mermaid
OilRig
OilRig has been active since 2014 and have been prolific in targeting middle eastern organization however they occasionally target outside a region including the US, the group has targeted variety of industries including financial governmental energy and telecommunications they have been known to utilize LinkedIn and other social media platform to masquerade as western university on multiple occasion. Based on the infrastructure they use cybersecurity experts believe they work on behalf of the Iranian government
Also known as: APT34 Greenbug Heliz Kitten IRN2 ITG12 Cobalt Gypsy
Chafer
Predominantly targeting the theft of data and personal information the Chafer group have been active since 2014 previously targeting critical infrastructure throughout the middle east more recent attacks starting in 2018 have targeted organizations based in Kuwait and Saudi Arabia . Most of the hacking activity takes place at the weekend which could point to Chafer being a criminal gang
Also known as: APT39 Remix Kitten
Pioneer Kitten
Pioneer Kitten is the suspected government backed group that has been active since 2017 focused on gaining and maintaining access to sensitive data of interest to Iran. they are known to target Israel as well as the usa and other western countries using exploits in virtual private network to target their victims. in late 2020 Pioneer Kitten was identified as advertising access to compromised networks on under ground forums, this activity is suggestive of an attempt at revenue stream diversification it is unlikely that this commercial activity is sanctioned by the government
Also known as: Fox Kitten PARISISTE UNC757
APT 33
APT33 has been active since 2013 and target commercial and governmental sectors in Saudi Arabia and USA they have used mixture of publicly available tools as well as custom made malware to target aviation and petrochemical production. The group has links to the Nasr institute which is purported to be Iran cyber army and controlled by the Iranian government
Also known as: Elfin Magnallium Holminum Refined Kitten
Domestic Kitten
Domestic Kitten is an Iranian group that we reported on 2 years ago. the group is believed to be linked to either the government or military and target Iranians as well as Turkish and Kurdish natives with malware that allowed them to access victims contacts, files, browsing history, photos, read SMS and record surrounding voice conversation
The report on Domestic Kitten can be found here: http://irancybernews.org/news/corrupt-kitten-exposed/
Also known as: Zoopark Corrupt Kitten
There are other hacking groups that we have not mentioned today which we have previously reported on, groups called N3twOrm and Reveng3rs, we do not know if these groups are just another name for an existing group or yet more examples of the ever increasing number of Iranian hacker
As you can see there are a lager number of groups that we believe originate in Iran, of course we can not be sure of their true locations as these groups are renowned for the secrecy so we can only report what the cybersecurity community believes to be true
Questions need to be asked
Is there an answer to the increasing problem of hacking in Iran? The number of cyber groups are growing but could our highly skilled people not be used in better way? Iran faces many problems, instead of targeting foreign country could not Charming Kitten or Chafer instead use skills to defend us from foreign attacks on our power stations and transport links? would we be suffering constant power cuts and shortages if the money wasted by a government on hacking groups was instead spent on infrastructure and increasing our quality of living?