Over the past three months, authorities have issued warnings about connections between various Iranian threat groups and several significant cybersecurity incidents, including multiple ransomware attacks and a sophisticated social-engineering scheme targeting various groups and individuals.

While not at the same level as Russia and China, Iran’s cyber capabilities have increased and improved over the years. Threat groups associated with the country’s government have demonstrated the ability to conduct destructive operations as well as cyber-espionage campaigns.

Since July, Iranian cyber groups have been linked to several significant cybersecurity incidents, including:

• A large-scale ransomware attack first detected in July targeted infrastructure within Albania’s government, which led the country (a NATO member) to cut diplomatic ties with Iran. On Sept. 21, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint statement attributing the attack to a group linked to Iran’s government, noting the incident involved “a ransomware-style file encryptor and disk wiping malware.”
• In September, the U.S. Attorney’s Office in New Jersey unsealed an indictment that charged three Iranian nationals with attacking “hundreds” of networks inside and outside the U.S., including health care organizations and government entities and trying to extort victims using ransomware.
• Also in September, security firm Proofpoint detailed a sophisticated social-engineering campaign allegedly tied to Iran’s Revolutionary Guard Corps. In this case, attackers spoofed email addresses associated with legitimate organizations to target individuals to gather intelligence on a range of topics, including nuclear arms control. 

In the case of social-engineering campaigns, researchers concluded the operation is tied to an Iranian state-sponsored threat actor that the company calls TA453, which is also known by the names Charming Kitten or APT42. What made this campaign unusual is that the spear-phishing emails used multiple fake personas to help make the message seem more legitimate.

This type of campaign shows Iran is deploying even more complex and intricate techniques to help disguise its motivations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“As more awareness and reporting on the group has hardened their traditional targets and increased awareness of them as a threat, TA453 has been forced to innovate their techniques,” DeGrippo recently told Dice. “This latest innovation has resulted in their use of multi-persona impersonation—MPI. Proofpoint has previously observed this technique from advanced business email compromise actors such as TA2520, but TA453's use of MPI is intriguing because it is being used in very targeted attacks and for espionage purposes.”

Iranian Threats

While Russia and China tend to dominate the headlines when it comes to various nation-state cyber threats—Russia’s recent military invasion of Ukraine has raised the specter of large-scale cyberattacks—countries like Iran and North Korea tend to run under the radar but continue to develop fresh techniques. This, in turn, should make technology professionals take notice.

“If you zoom out and look at the full scope of nation-state activity, Iran has not slowed their efforts. Just like any organized group, their persistence is key to their success, both in the long term and short term,” Aubrey Perin, lead threat intelligence analyst at Qualys, told Dice. “Cyber professionals must always remain vigilant, as bad actors are opportunistic. With the rise in global tensions paired with fears of inflation, recession and war, criminal hacking gangs of all kinds likely have no interest in slowing down or stopping operations.”

For cybersecurity and technology professionals looking to protect their organizations, these types of nation-state threats are more difficult to detect than financially-motivated groups, since espionage requires long-term strategic planning and the ability to remain undetected within compromised networks.

“It is important for organizations to understand their particular risk profile against the various adversarial nation-states to determine the likelihood of being targeted. They need to continue to monitor trusted threat intelligence sources to understand the adversary’s [tactics, techniques and procedures] that they need to guard against,” Michael DeBolt, chief intelligence officer at Intel 471, told Dice. “Also, attacks conducted by the direction or in alignment with a nation-state will be done with a strategic objective in mind and will sometimes be executed in an attempt to influence or respond to geo-political activities happening in the world. Defenders must pay attention to global events that may spark this type of activity.”

Rethinking Skills and Training for Tech Pros and Employees

The types of cyber threats that Iran is conducting should serve as a wake-up call for cybersecurity professionals to bolster their skill sets to detect and counter these types of operations. Experts also note that technologists are responsible for ensuring employees know they could be targeted, as well.

“Cybersecurity is a layered effort that requires training for all employees in a variety of areas. In other words: What does good cyber hygiene looks like? How should employees report suspicious behaviors? Who is the person to report suspicious behavior to? Do organizations have the training to use the infrastructure that handles the reporting?” Perin asked. “When creating training mechanisms for employees, it is important to refer to different best practices and guidelines provided by the industry, such as NIST’s cybersecurity framework.”

Mike Parkin, a senior technical engineer at Vulcan Cyber, noted there are many types of programs (both paid and free) that organizations can invest in to increase their cyber awareness. Tech and security pros, however, need to lead the way.

“There are myriad training programs available from multiple vendors, including free resources so an organization could create their own home-grown program if they were so inclined and had the skill to do it,” Parkin told Dice. “The challenge is finding the right level of paranoia. You want to be at the point where you are wary of anything suspicious, but not so wary it interferes with getting the job done. This is especially true for social engineering and phishing attacks, though there are extant tools that can help protect against both vectors.”

For many organizations, the first step to improving cyber awareness is to understand if they oversee or maintain the type of critical infrastructure that Iran or another nation-state could target. From there, executives need to give tech and cyber pros the resources to build a better defensive program.

“Building a very risk-averse cyber defense program, maintaining relationships with as many public-private threat intelligence sharing communities and securing budget that allows for innovative solutions to deploy to help manage a cyber program has to be a board-level strategy,” Andrew Barratt, vice president at security consulting firm Coalfire told Dice. “This will start bringing awareness to business decision-makers and show them that even being part of an event that wasn’t directly targeting them could have some significant downstream revenue implications if a threat can’t be quickly contained upon discovery.”

DeGrippo also noted that countering these types of attacks requires long-term strategy, skills development by security teams, and building awareness throughout an organization, especially for those employees outside the tech shop.

“Long term, organizations should focus on a cybersecurity strategy based on people, processes, and technology,” DeGrippo said. “This means training individuals to identify malicious emails, using email security tools to block threats before they reach users’ inboxes and putting the right processes in place to ensure that threats can be mitigated immediately.”