Assessing Iran’s Digital Attack Capabilities

6 minute read

In light of the recent targeted killing of Iran’s Maj. Gen. Qassem Soleimani ordered by the United States, there has been increased speculation and tension surrounding the potential cyber-attacks directed towards the US and its allies. ZeroFox Alpha Team has been actively monitoring activity across social and digital channels to address the threats and capabilities associated with Iran, what risks these groups pose, and how they may impact organizations like yours. 

The Threats Associated with Iran’s Cyber Capabilities

Iran has a mature Computer Network Operations (CNO) capability leveraged by multiple groups, both civilian and military. These groups are often segmented from each other due to bureaucracy and thus are unable to coordinate all of their resources effectively.

Iran has varying levels of resourcing and motivations associated with each operating group, ranging from non-technical to Advanced Persistent Threat (APT), from non-funded but highly politically motivated to Nation-state funded attackers. ZeroFox classifies the various threats associated with Iran into four groups ranked by their access to funding and their motivation:

Figure 1. Breakdown of groups operating in Iran and their motivations


There are a number of groups in the military and civilian government services that operate in varying capacities, including APT33, APT34, APT35, and APT39.

These government-sponsored groups have been seen using standard built-in Windows tools to allow them to avoid introducing new software or tools (however, in most cases they will use 3rd party tools in addition to standard software) into the victim environment. All of the APT groups have been seen initially trying to compromise their victims through the use of highly-targeted phishing attacks, also known as spearphishing, while groups like APT35 will spearphish in addition to compromising publicly available sites through SQL injection.

All of these groups also will attempt to dump victim credentials through the use of various software, with the majority using Mimikatz to collect these credentials. Most of these groups will also use WinRAR for compressing their data before exfiltrating it to potentially avoid network scanners or DLP solutions.

These APTs targets range pretty broadly, from telecommunications and travel industries aligned with Iran priorities to targeting multiple industries in the US, Saudi Arabia, South Korea, and Israel focusing on aviation and energy sectors. Some groups distinctly focus on financial, government, energy, chemical, and telecommunications in the Middle East as well.

Figure 2. Map of Iranian APT Targets


Iran’s cyber capabilities extend beyond just government actors and espionage and destructive missions. There are several criminal organizations operating in Iran, such as Silent Librarian, ITSecTeam, and Mersad Company. Several private companies and Iranian citizens have been indicted by the US Department of Justice for involvement in the development of tools to sell to Iranian cyber groups. They have also been directly involved in the theft of intellectual property and selling the stolen property to buyers both inside and outside of Iran.

The TTPs of criminal groups are very close to that of the government-sponsored APT groups. We assess with moderate confidence this is because 3rd party tool developers/operators are reusing the same tools and techniques sold to government groups for freelance criminal activities.


Several patriot and idealist groups, such as Rocket Kitten, Internal Proxies, Basij Cyber Council, Cutting Sword, and Cyber Fighters of Izz ad-Din al-Qassam fall into this category.

Actors in this group are highly motivated by their desire to serve their country and strive to defend their country however they can. These attackers typically aren’t well-funded as they are normal citizens of their country, which limits the threat these attackers place. These groups are not directly affiliated with the government but are often brought together and given training by political or religious organizations in Iran.

These groups usually don’t have high-end toolsets. They often use open source tools and techniques. The well-known techniques work to add a level of obfuscation to their activities making attribution hard.

Script Kiddies

The recent website defacements of public sites are most commonly attributed to script kiddies, due to them attacking targets of opportunity, rather than specific sites that would cause more of an impact than defacing the Texas Department of Agriculture or the South Alabama Veterans Council site.

Figure 3. Image used to deface the South Alabama Veterans Council Site.

Risks to Your Organization

As broken down above, the range of motivation and skill set of the groups currently active in Iran vary greatly. Smaller companies that do not have the resources available to protect themselves will be as much of a target from Iran as any random hacker on the Internet. If state-sponsored APTs are in your threat model, then you should have identified and/or employed potential mitigations to the threats associated with them. For instance, APT33 has used Shamoon wiper malware in the past, and if your organization has a robust Disaster Recovery plan in place, you would be prepared for this type of attack.

Looking at other typical types of threats from groups operating in or with Iran, the following recommendations could be followed for how to mitigate some of these threats:

  • Use 2FA for all available services. Not all attacks can be stopped simply by using 2FA, however, this is an excellent method for ensuring that access to your resources can not be defeated through credential stuffing attacks. Charming Kitten has been observed trying to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. Using 2FA could help in protecting your social media accounts from attackers accessing them.
  • Ensure your systems are kept up-to-date with the most recent patches, especially if external facing systems, like webservers or mail servers. Magic Hound/APT35 has been seen using publicly available tools, such as Havij and sqlmap to target publicly available servers in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.
  • Have a Disaster Recovery Plan in place to be able to quickly and effectively recover from wiper malware impacting your systems. The Shamoon wiper malware, used by APT33, has been seen in recent years targeting industrial players in the Middle East and Europe.
  • Remain vigilant to spearphishing attempts targeting your employees and organization to prevent credential compromise or using malicious attachments to gain access. APT39 has previously used spearphishing to initially compromise victims in the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.


While the threat from Iran is real, depending on your vertical, defenses, and scope, you may never experience any targeted attacks. There is a lot of noise and media attention focused on this, and with smaller attackers hitting any target of opportunity, there is bound to be more news about this which can cause panic. This is also a perfect time for other attackers to mimic Iranian APT techniques to increase tension and create false-flags for targeting other interests.

Protect your organization, executives and customers against attacks wherever they originate is critical. ZeroFox customers can access more advisories like this one through the ZeroFox Alpha Team tab. Not yet a ZeroFox customer? Learn more about our finished intelligence and digital risk protection solution here.

See ZeroFox in action