Thursday, January 09, 2020

Iranian APT Group Overview

Today the Birmingham InfraGard Chapter and the Alabama ISSA held a joint meeting featuring a presentation from the Cybersecurity & Infrastructure Security Agency, part of DHS that was formerly known as the NPPD.  I learned of a ton of offerings from at the meeting, so I want to start by sharing a link to their CISA Insights Page, where they released earlier this week some guidelines for updating your company's Risk Assessment regarding potential cyber or physical threats from Iranian actors in light of our current political situation, and the tendency of the Iranian regime to lash out with Cyber attacks when they can't accomplish what they want with the limited reach of their military.  That Insight was called Increased Geopolitical Tensions and Threats and features ten readiness steps for making sure your org is not a soft target for cyber attacks from Iran. Most of these are things you should be doing anyway, but hey, an Iran threat is possibly a good time to go check those out!  One way of thinking about covering your cyber bases that I really like is actually from the Australian Government, who recommends their "Essential 8" Strategies to Mitigate Cyber Security Incidents.  Start with making sure you have your Essentials covered, but then move on to "Very Good" and "Excellent" steps as your org matures your security practices.

However, we all know that Iran has many Advanced Persistent Threat (APT) Groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware.  A large org will want to know more about the behaviors of documented Iranian APT Groups. Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked.

I've seen several documents that share a woefully incomplete list of APT groups from Iran, so I've tried to pull together some helpful links to the main groups below.  In each case, if their is a "MITRE Group #" after the main title, you will find a very robust list of TTPs (Tactics, Techniques, and Procedures) about the group and links to many more reports and resources about the group than I have provided below.  However, I DO like the reports I've listed and think you might want to read them as part of "basic understanding" before following a dozen reports about the same group.  One slight complaint about the MITRE data, and APT Group Naming in general, is there is a great deal of disagreement about which group names are aliases for the same groups, and which may be entirely different groups that just share some tools with one another.  Hey, I'm doing the best I can here, and so is MITRE.  It's tricky!  If you feel I've really got something screwed up, leave a comment!  Let's chat!

Most every vendor it seems likes to put their own personal spin on APT Groups.  I have to confess to being a sucker for the CrowdStrike naming conventions (Hi Adam! Hi Dmitri! Hi Shawn!).  They use a different Animal to label each APT Group based on the name of the country where the group is hosted.  Their name for Iran is "Kitten" (as in "Persian Kitten", get it?)

While there are several excellent APT Disambiguation efforts, my favorite for ease of use is the one run by Florian Roth (Twitter @Cyb3rops ) - APT Groups and Operations.  Go to the Iran tab. There are columns for malware sets and links related to each group as well.

If you prefer a much more detailed read of APT Groups, the ThaiCERT has an amazing Threat Actor Encyclopedia! A 275 page omnibus of APT!  However, it is really tricky to pull out, for example, JUST the Iran stuff from it.

For now, I'll organize this by the CrowdStrike Kitten Names. Their set includes at least:

but there are many other companies naming other Iranian APT Groups that may or may not link up with the Kittens.  FireEye is the main user of the numbered APT Groups.  Many of these now have a "Kitten" name as you see above ... APT33, 34, 35, and 39 are all Iranian.  There are several "less well labeled" actors who either don't really behave like traditional APT, or haven't been as widely linked as those above, but are still serious.  A few of those below:
  • Cyber Fighters of Izz Ad-Din Al Qassam - the bank DDOS guys.  
  • DarkHydrus (AKA Lazy Meerkat) - some say is actually also Slayer Kitten, others disagree
  • Gold Iowell (AKA Boss Spider) - these are the SamSam Ransomware guys 

If it would be helpful to just have the MITRE links all in one place, here you go!


  1. Hi, I think you wanted to write next to Refined Kitten (AKA APT33, AKA Magic Hound, AKA Timberworm).

  2. Thanks for the write up


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.