Technology
In response to increased U.S.-Iran tensions stemming from the recentdeath of Quds Force leader Qasem Soleimani by U.S. forces and concernsof potential retaliatory cyber attacks, we're bringing the latest fromour front-line experts on all things Iran. Christopher Glyer and NickCarr are joined by Sarah Jones (@sj94356) and Andrew Thompson(@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups -including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as thefreshest actionable information on suspected Iranian uncategorized(UNC) groups that are active right now.We get right into it with a picture of Iranian compromise activityfrom just a few years ago - what we observed and the basic,cookie-cutter approach to their intrusions - and then begin to walkthrough the stark contrast to their TTPs today. We discuss how and whytheir Computer Network Operations (CNO) has evolved quickly andprovide a detailed walk through all of the graduated Iranian APTgroups.Our experts share their experiences with each group, moments in timethat surprised or impressed us from Iranian threat actors, and notableshifts in behavior - as well as our standing questions. Iranianintrusion operators have come a long way from DDoS & defacement, basicscanning, Cain & Abel and ASPXspy... to DNS hijacking, socialengineering via LinkedIn, information operations, and backdoors likeQUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with thequick adoption of offensive security post-compromise tools andtechniques.We close this first episode of season 3 with an overview of actionablemitigations to secure against both Iranian intrusions and severalother threats, including disruptive and destructive ransomwareattacks. For more information on these mitigations as well as ourpublic source material supporting the discussion from the show, pleasecheck out:• APT33 graduation:https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.htmlhttps://www.brighttalk.com/webcast/10703/275683• APT33 webinar & examples:https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html• An example TEMP.Zagros phishing campaign:https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html• APT35 highlights in MTrends 2018:https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf• Iranian information operations:https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html• RULER home page usage by Iranian groups & mitigations:https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html• APT39 graduation:https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html• Iranian DNS Hijacking (DNSpionage):https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html• More Iranian influence operations:https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html• APT34 social engineering via LinkedIn:http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html• FireEye response to mounting U.S.-Iran tensions:https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html• U.S.-Iran tensions webinar & mitigations overview:https://www.brighttalk.com/webcast/7451/382779