Welcome back to the Cyber Resilience Brief, a SafeReach podcast, where we pull back the curtain on the world’s most sophisticated threat actors to help you stay one step ahead, or maybe five. I’m your host, Tilda Dobrein. And I’m Adrian Culley, offensive cybersecurity engineer here at SafeBreach. My day job is thinking like the adversaries so you don’t have to, simulating the breaches before they actually happen. Still listening to my rants. But today, we’re kicking off a massive six part series. We’re diving deep into a region that has become a masterclass in asymmetric digital warfare, Iran. It’s a fascinating case study, Tova. We’ve been looking at some incredible new research that maps out the evolution of Iranian cyber operations. Most people think of nation state threats and immediately look at Russia or China. But Iran, they play a different game. It’s low cost, high impact, and incredibly retaliatory. In this first episode, The Phoenix Rises, we’re looking at the big bang moment for Irene and Cyra. Adrian, if we’re talking about the catalyst that turned a regional power into a digital superpower, we have to talk about Natanz. Right? Exactly. To to understand where they are in twenty twenty six, you have to go back to two thousand and ten. That’s Duck’s Nest. For those who don’t know, it was a hypersophisticated worm that targeted the Siemens programmable logic controls, PLCs, logic controllers, at the Nat Hunt’s nuclear facility. Countdown to zero day by Kim Zetta’s a very, very detailed account of this if anybody wants to deep dive into it. But let’s touch on the main points. It physically destroyed the uranium centrifuges for uranium enrichment by making them spin out of control while showing the operators that everything was normal on their screens. Brilliant too. It’s the first time we saw code actually manifest as physical destruction. Right. And for Iran, it was a humiliating wake up call. Before Stuxnet, their cyber focus was internal, filtering the Internet, tracking dissidents using the two thousand and nine Grieve Gring movement. After Stuxnet, the regime realized that they didn’t need a massive navy or an air force to strike back at the west. They needed keyboard warriors. And our research shows the shift was institutional and swift. They didn’t just got mad. They got organized, and they are trying to get even. They did, Tova. They viewed cyber as a way to level the playing field, and they created the Supreme Council of Cyberspace for Iran. They started funding what we now call advanced persistent threats, APTs, but they didn’t do it the way we do. As we discussed in our previous eminent patchy regard episode, they utilized the contractor model, private tech firms that are legitimate by day, but state sponsored offensive cybersecurity sales by night. So they built the infrastructure. When do we see the first real punch back? So that would be two thousand and twelve, fourteen years ago, the Shamoon attack. If Stuxnet was a scalpel, which it was, Shamoon was an absolute sledgehammer. Right. That was with Saudi Aramco. Can you tell us a little bit about that? So very interesting. Thirty five thousand hard drives at Saudi Aramco were wiped clean in hours. The data was replaced with the image of a burning American flag. It wasn’t about stealing secrets. It was about disruption as a message. This was widely acknowledged as being the birth of the wiper era. And it seems like their early doctrine was very noisy. We’re talking about DDoS attacks on US banks and then wiping data. It’s very bold. Subtlety doesn’t seem to be their strong point. Absolutely, Tova. Not subtle at all. Between twenty twelve and twenty sixteen, they were just trying to prove that they could draw blood. They hit the financial sector with Operation Bibil, massive DDoS attacks that sidelined JPMorgan and Wells Fargo. But as we move into the current era, it’s clear they’ve matured. They’ve moved from wipers to persistence, something that we see with with other threat actor groups. They’re not just trying to kick the door down anymore. They’re trying to pick the lock and live in your basement for three years without you knowing they’re there. Yikes. And this is where it gets real for our listeners. If Iran has moved from noisy attacks to this stealthy persistence, how does a modern enterprise defend against that, especially when they use these hybrid contractor groups that don’t always follow a predictable playbook and don’t always reveal who they are? This is exactly what we talk about when when we’re discussing continuous threat exposure management or CTEM. You can’t just do a penetration test once a year and call it a day. Iranian actors exploit the gaps between those tests. So just like the cracks in the walls that the cockroaches who live in your basement end up crawling between in order to continue moving in your environment, that’s what Iran is doing essentially in your cyber environment. Now let let’s talk about how BaaS and CART fit into this Iranian threat profile. So think about breach and attack simulation, BaaS, as your foundational check. At SafeBreach, we have what we call a hacker’s playbook. It contains thousands of methods used by groups like APT thirty three or Oil Rig. We can simulate an Iranian wiper attack in your environment safely. We’re not actually deleting your data, but we’re seeing if your EDR, your Endpoint Detection and Response actually sees the behavior. This is the key point. We’re doing this behaviorally. And when we simulate that behavior, does your EDR detect that behavior as if it is a genuine wiping attempt? So it’s about validating the tools you already paid for and also detecting the human behind the cyber. Exactly. But then you have CART, continuous automated red teaming. This is where it becomes we step into completely being offensive. While Baz tests your controls, asks like the adversary. It looks for those lateral movement paths. If an Iranian actor gets into a low level dev server, can they pivot to the crown jewels? Kart finds those paths automatically and continuously. Right. It’s like a red team in your pocket. And essentially what we’re doing here is adversarial exposure validation. How does that fit into this framework? So you write about red team in your pocket, Tova. The the upstream never sleeps. The upstream is harnessing artificial intelligence. The heart’s harnessing automation for augmentation of of their hacking and spying. You have the ability now between CTEM, BARS, and CART to take the same approach so that your validation of your security controls never sleeps. So AAV provides the so what factor. It’s taking the data from the Buzz and Cart and saying, okay, we found a thousand vulnerabilities, but only three of them can actually be exploited by an Iranian APT to reach your customer database. It’s about prioritizing what matters so your team doesn’t burn out. So let’s talk about why we’re speaking about Iran now, and it’s not just because of our series on China, Russia, Iran, and North Korea. According to press reports, Iranian groups are increasingly targeting the supply chain. These are smaller vendors that lead into the big targets. And we’ve seen Iran a lot in the news lately. How does it all tie together? So we mentioned at the start of the podcast, Tova, that the defining characteristic of the Iranian advanced persistent threats, the the cyber element of the Islamic Revolution Regard Corps is retaliatory. Iran at the moment is in significant civil unrest. There’s very strong indications that the regime of the mullers may be falling. And whilst that may be true politically and physically and practically, the hacking groups remain under control of the IRGC and the mullers. And it’s likely that we will see retaliatory lashing out activity. And although they’ve become more sophisticated, as they become more desperate, we may see a reversion to blunt tech attacks such as the Sharmun attack on Saudi Aramco. But we may also see something that we’ve seen to a degree with the Russian threat groups and those useful fools affiliated to them. So whether it’s Sandworm Direct or the affiliated groups like Scattered Spiders, Scattered Shiny Lapsus, Shiny Hunters. What we may see is Iranian groups that have managed to be persistent, that have managed to get into organizations in the West and have been dwelling. What we may well see in the very near future, particularly if the world becomes more unstable in the coming weeks and months, sadly, what we may see is them taking the covers off of that persistence and actually subverting and attacking. There’s been CISO advisors and FBI advisors during December twenty five about exactly this for operational technology estates in the West. There is a strong indication from Western intelligence that Iranian groups are sat inside Western operational technology, particularly in critical national infrastructure, and they’re waiting to, for lack of a better phrase, to pull the plug or push the button. Right. In other words, if you’re a CISO listening to this and you’re worried about the phoenix rising in your network, it’s more just about security validation. It’s about paying attention to current events. But what other advice do we have to offer them as well? Great question, Tova. As a CISO, the first thing you have to do fundamentally, philosophically, and practically is stop guessing. Security drift is real. Your configuration today isn’t what it was yesterday. It’s dynamic. Use a platform to run these simulations daily. If APT thirty three drops a new piece of malware, like we saw with the drop shop evolution, for example, recently, you should be able to click a button and know within minutes if you’re protected and where your gaps are. Exactly. Validation is the antidote to uncertainty. Why guess when you could know? Well, that’s a very precise summary, Tove, for them. Nobody wants to see that burning American or any other nation state flag on their computer screen to find out that their firewall was misconfigured. Get ahead of this. This is the whole point of CTEM, CART, Baz, embrace offensive cybersecurity, hack yourself, and close the gaps. Absolutely, Adrian. That’s a wrap for our first episode on Iran. We’ve covered the history, the shift from Stuxnet to Shimon, and why continuous validation is the only way you’ll get to sleep at night. Stick around for episode two, our our faithful listeners, We’re going to go inside the command centers of the IRGC in Iran. We’re going to talk about the internal rivalry between the IRGC and the MOIS and how that competition actually makes them more dangerous for you. Absolutely. You won’t want to miss it. Thanks to Adrian and the whole SafeReach team. I’m Tova Dvorin. See you next time. Stay safe. Stay safe with SafeReach. The cyber resilience brief is the SafeReach podcast. Executive produced by Adrian Culley and Tova Dvorin. Music produced by Sar Dressner. Posted, edited, and compiled on Riverside. For more about SafeReach and how you can validate your security controls across your entire IT infrastructure, visit us at w w w dot safereach dot com. That’s w w w dot s a f e b r e a c h dot com.
