S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY
about 5 days ago.
Updated about 5 days ago.
In response to increased U.S.-Iran tensions stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and concerns of potential retaliatory cyber attacks, we're bringing the latest from our front-line experts on all things Iran. Christopher Glyer and Nick Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson (@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups - including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the freshest actionable information on suspected Iranian uncategorized (UNC) groups that are active right now.
We get right into it with a picture of Iranian compromise activity from just a few years ago - what we observed and the basic, cookie-cutter approach to their intrusions - and then begin to walk through the stark contrast to their TTPs today. We discuss how and why their Computer Network Operations (CNO) has evolved quickly and provide a detailed walk through all of the graduated Iranian APT groups.
Our experts share their experiences with each group, moments in time that surprised or impressed us from Iranian threat actors, and notable shifts in behavior - as well as our standing questions. Iranian intrusion operators have come a long way from DDoS & defacement, basic scanning, Cain & Abel and ASPXspy... to DNS hijacking, social engineering via LinkedIn, information operations, and backdoors like QUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with the quick adoption of offensive security post-compromise tools and techniques.
We close this first episode of season 3 with an overview of actionable mitigations to secure against both Iranian intrusions and several other threats, including disruptive and destructive ransomware attacks. For more information on these mitigations as well as our public source material supporting the discussion from the show, please check out:
• APT33 graduation: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
• APT33 webinar & examples: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
• An example TEMP.Zagros phishing campaign: https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
• APT35 highlights in MTrends 2018: https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
• Iranian information operations: https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html
• RULER home page usage by Iranian groups & mitigations: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
• APT39 graduation: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
• Iranian DNS Hijacking (DNSpionage): https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
• More Iranian influence operations: https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html
• APT34 social engineering via LinkedIn: http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
• FireEye response to mounting U.S.-Iran tensions: https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html
• U.S.-Iran tensions webinar & mitigations overview: https://www.brighttalk.com/webcast/7451/382779