Proofpoint detailed 11 Iran’s cyber attack groups, their preferred TTP’s, targets, and countries

The threat of a possibile Iran cyber offensive against US interests worldwide is real. But who could be the Tehran’s state sponsored hackers responsible for the attacks? Proofpoint cyber security experts detailed 11 Iranian attack groups and their preferred TTP’s.They published also information on the industries and countries and regions they’ve been known to be targeted by APTs, and an overview of their tactics. 

The Iranian Attack Groups

According the cyber security experts, the main Iranjnan attack groups are:

1. APT 33/Elfin: A group that since 2013 has been targeting aviation, energy, government, health care, and transportation sectors in Saudi Arabia, South Korea, and the United States. Some believe this group is responsible for the Shamoon attacks. Proofpoint tracks this group as TA451 and they have been active as recently as December 2019.
2. APT 39/Chafer: A group that since 2014 has been targeting government, telecommunications, and travel sectors to collect personal information. Proofpoint tracks this group as TA454 and they have been active as recently as June 2019.
3. Charming Kitten: A group that since 2014 has been targeting individuals in academic research, government, human rights groups, media, military, and technology sectors in Iran, the United States, Israel, and the United Kingdom by gaining access to personal email and Facebook accounts. Proofpoint tracks this group as TA453 and they have been active as recently as September 2019.
4. Cleaver: A group or operation that was first tracked in 2014 targeting aviation, energy, military, transportation, health care, and utilities sectors in China, France, Germany, India, Israel, Saudi Arabia, and the United States. They are believed to have used fake LinkedIn accounts as part of their attacks.
5. CopyKittens: A group that since 2013 has been targeting users in Germany, Jordan, Turkey, Saudi Arabia, and the United States.
6. Group5 (Suspected):  Attribution to Iran is not definitive but this group has targeted individuals connected to the Syrian opposition with malware through spearphishing and watering hole attacks.
7. LeafMiner: A group that since 2017 has targeted the email of individuals in government and businesses in the Middle East.
8. Magic Hound: A group that since 2014 has targeted the energy, government, and technology sectors in Saudi Arabia.
9. MuddyWater: A group that since 2017 has targeted the energy, government, media, and telecommunications sectors in Europe, the Middle East, and North America. Proofpoint tracks this group as TA450 and they have been active as recently as January 2020.
10. OilRig: A group that since 2014 has targeted the aviation, energy, financial, government, media, technology, telecommunications, and transportation sectors in the Middle East. Proofpoint tracks this group as TA452 and they have been active as recently as December 2019.
11. Silent Librarian/Cobalt Dickens: Silent Librarian is a group that since 2013 has targeted universities around the world. Proofpoint tracks this group as TA407. A related group known as Cobalt Dickens has targeted construction, media, health care, higher education/academia, health care, and transportation sectors. Proofpoint tracks this group as TA4900. These groups were active as recently as December 2019 and September 2019 respectively.

Who attacks what

Proofpoint alto traced a list of Industries Targeted by Tehran’s cyber army: Iranian Attack Groups

1. Government: APT 33/Elfin, APT 39/Chafer, Charming Kitten, LeafMiner, Magic Hound, MuddyWater, OilRig.
2. Energy: APT 33/Elfin, Cleaver, Magic Hound, MuddyWater, OilRig.
3. Media: Charming Kitten, MuddyWater, OilRig, Silent Librarian/Cobalt Dickens.
4. Telecommunications: APT 39/Chafer, MuddyWater, OilRig.
5. Aviation: APT 33/Elfin, Cleaver, OilRig.
6. Health Care: APT 33/Elfin, Cleaver, Silent Librarian/Cobalt Dickens.
7. Technology: Charming Kitten, Magic Hound, OilRig.
8. Transportation: APT 33/Elfin, Cleaver, OilRig, Silent Librarian/Cobalt Dickens.
9. Construction: Silent Librarian/Cobalt Dickens.
10. Higher Education/Academia: Charming Kitten, Silent Librarian/Cobalt Dickens.
11. Military: Charming Kitten, Cleaver.
12. Financial: OilRig.
13. Human Rights Groups: Charming Kitten.
14. Travel: APT 39/Chafer.
15. Utilities: Cleaver.

The countries targeted by cyber warfare/espionage actors

Countries and Regions Targeted by Iranian Attackers are:

1. Saudi Arabia: APT 33/Elfin, Cleaver, CopyKittens, Magic Hound, OilRig.
2. United States: APT 33/Elfin, Charming Kitten, Cleaver, CopyKittens.
3. Israel: Charming Kitten, Cleaver, CopyKittens.
4. China: Cleaver.
5. France: Cleaver.
6. Germany: Cleaver, CopyKittens.
7. India: Cleaver.
8. Iran: Charming Kitten.
9. Jordan: CopyKittens.
10. South Korea: APT 33/Elfin.
11. Turkey: CopyKittens.
12. United Kingdom: Charming Kitten.
13. European Union: MuddyWater.
14. Middle East: LeafMiner, MuddyWater, OilRig.
15. North America: LeafMiner, MuddyWater.

The APT favourite TTP’s

Finally, the tactics favored by Iranian Attackers are:

1. Stolen Credentials: APT 33/Elfin, APT 39/Chafer, Magic Hound, MuddyWater, OilRig, Silent Librarian.
2. Email Infiltration: Charming Kitten, LeafMiner, Magic Hound, Silent Librarian.
3. Malware: CopyKittens, Group5, Magic Hound.
4. Personal Information Gathering: Charming Kitten.
5. Social Media Targeting: : Charming Kitten, Cleaver.
6. Phishing: Group5, Magic Hound, Silent Librarian.
7. Watering Hole Attacks: Group5.