However, we all know that Iran has many Advanced Persistent Threat (APT) Groups, and that there is much more to watching for such activity then patching your systems and telling your users to be aware. A large org will want to know more about the behaviors of documented Iranian APT Groups. Often these insights include known malware families used by the actor, or what sectors or countries this threat group historically has attacked.
I’ve seen several documents that share a woefully incomplete list of APT groups from Iran, so I’ve tried to pull together some helpful links to the main groups below. In each case, if their is a “MITRE Group #” after the main title, you will find a very robust list of TTPs (Tactics, Techniques, and Procedures) about the group and links to many more reports and resources about the group than I have provided below. However, I DO like the reports I’ve listed and think you might want to read them as part of “basic understanding” before following a dozen reports about the same group. One slight complaint about the MITRE data, and APT Group Naming in general, is there is a great deal of disagreement about which group names are aliases for the same groups, and which may be entirely different groups that just share some tools with one another. Hey, I’m doing the best I can here, and so is MITRE. It’s tricky! If you feel I’ve really got something screwed up, leave a comment! Let’s chat!
Most every vendor it seems likes to put their own personal spin on APT Groups. I have to confess to being a sucker for the CrowdStrike naming conventions (Hi Adam! Hi Dmitri! Hi Shawn!). They use a different Animal to label each APT Group based on the name of the country where the group is hosted. Their name for Iran is “Kitten” (as in “Persian Kitten”, get it?)
While there are several excellent APT Disambiguation efforts, my favorite for ease of use is the one run by Florian Roth (Twitter @Cyb3rops ) – APT Groups and Operations. Go to the Iran tab. There are columns for malware sets and links related to each group as well.
If you prefer a much more detailed read of APT Groups, the ThaiCERT has an amazing Threat Actor Encyclopedia! A 275 page omnibus of APT! However, it is really tricky to pull out, for example, JUST the Iran stuff from it.
For now, I’ll organize this by the CrowdStrike Kitten Names. Their set includes at least:
- Charming Kitten/Imperial Kitten (AKA APT35, Tortoiseshell) – MITRE: G0058
- Clever Kitten (AKA Group41)
- Cutting Kitten (AKA COBALT GYPSY, AKA TG-2889)
- Flash Kitten ( AKA Leafminer, AKA Raspile) – MITRE: G0077
- Flying Kitten / Rocket Kitten (AKA Saffron Rose AKA Group26) – MITRE: G0059
- Helix Kitten / Twisted Kitten (AKA APT34, AKA OilRig) – MITRE: G0049
- Refined Kitten (AKA APT33, AKA Magic Hound, AKA Timberworm) – MITRE: G0058
- Remix Kitten (AKA APT39, AKA Cadelle, and some say AKA Chafer) – MITRE: G0087
- Slayer Kitten (AKA CopyKittens) – MITRE: G0052
- Static Kitten (AKA MuddyWater, AKA TEMP.Zagros) – MITRE: G0069
- Cyber Fighters of Izz Ad-Din Al Qassam – the bank DDOS guys.
- DarkHydrus (AKA Lazy Meerkat) – some say is actually also Slayer Kitten, others disagree
- Gold Iowell (AKA Boss Spider) – these are the SamSam Ransomware guys
- Iridium – these are the guys that hit the Australian Parliament. A single company (ReSecurity) claims they are Iranian, but they used “China Chopper” malware, so . . . the same company tied them to 6 TB of data stolen from Citrix customers. A bit debunked.
- Silent Librarian (AKA Mabna Institute)
*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2020/01/iranian-apt-group-overview.html