The Heightened Threat of Iranian Cyber Attacks: How to Understand the Risk and Enhance Resilience

The physical conflict involving Iran that has played out in the Middle East over the last several days is expected to increasingly spill over into the cyber realm. According to the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and other cybersecurity experts, organizations in the US should begin preparing for increased cyber attacks from pro-Irianian hacktivists and Iranian government-affiliated actors in the coming days and weeks. 

Below, we’ll share what we know about the operational capabilities of Iranian-backed actors and the threat they pose. We’ll also highlight how attack scenarios within the SafeBreach exposure validation platform—specifically the Known Threat Series and Threat Group attack scenarios—can play an integral role in helping organizations proactively assess and enhance their cyber defense capabilities against these threats in order to build resilience.

What We Know about Iranian Cyber Operations 

Iranian state-sponsored cyber operations have evolved in recent years into a sophisticated, multi-layered threat ecosystem spanning multiple active groups with capabilities ranging from strategic espionage to destructive attacks and ransomware monetization. These actors pose significant risks to critical infrastructure, government systems, and private sector organizations globally through advanced persistent threat (APT) campaigns, election interference operations, and hybrid criminal-state collaborations. Their campaigns are known to incorporate vulnerability exploitation, brute force, credential harvesting, ransomware, data exfiltration and extortion, disk encryption, and more.

SafeBreach Attack Scenarios 

The SafeBreach Known Threat Series and Threat Group scenarios are integral to assessing and enhancing organizations cyber defense. The Known Threat Series employs real-world threat intelligence to simulate attacks based on documented advisories, allowing organizations to validate their security posture against well-known cyber threats. Threat Group scenarios focus on replicating the tactics, techniques, and procedures (TTPs) of specific adversarial groups as cataloged in frameworks like MITRE ATT&CK. Together, they enable continuous evaluation and strengthening of security controls, providing preparedness against sophisticated threat actors through realistic and relevant threat simulations

The SafeBreach platform has 11 pre-built scenarios in the “Known Threat Series” and 17 pre-built scenarios in the category for “Threat Groups” specific to Iranian threat actors. Dive into the sections below for more in-depth information about each scenario. 

Known Threat Series

The SafeBreach Known Threat Series is a collection of scenarios that test an organization’s security posture against well-documented and significant cyber threats, like those of Iranian-backed actors. This series leverages threat intelligence—specifically integrating information from advisories like CISA US-CERT and FBI Flash alerts—to create simulations of real-world malicious activities. The objective is to validate an organization’s defenses and ensure readiness against advanced threats by simulating threats from known attackers as they are documented.

Below, we’ve outlined the Known Threat Series attack scenarios specifically related to Iranian-backed cyber actors that are currently available within the SafeBreach platform.  

1. CISA Alert AA24-290A – Iranian Cyber Actors’ Brute Force Activity

• Attack Objectives: Iranian actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals
• Timeframe: Since October 2023, Iranian actors have used brute force, such as password spraying and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts
• Sectors Targeted: Healthcare, Government, Information Technology, Engineering, and Energy
• Primary TTPs: Password spraying, MFA push bombing, device registration manipulation, and credential harvesting

2. CISA Alert AA24-241A – Pioneer Kitten Ransomware Operations

• Attack Objectives: Iran-based cyber actors continue to exploit US and foreign organizations, with the FBI assessing a significant percentage of these threat actors’ operations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors.
• Threat Group: Pioneer Kitten Fox Kitten UNC757
• Sectors Targeted: Education, Finance, Healthcare, Defense, and Local Government
• Ransomware Collaboration: NoEscape, Ransomhouse, and ALPHV (BlackCat) in exchange for percentage of ransom payments
• Cover Identity: Iranian IT company “Danesh Novin Sahand” 

3. IL-CERT 1649 – Israeli CERT Alert

• Attack Objectives: Israeli cybersecurity threat intelligence related to Iranian or regional threat actor activities (specific details not publicly accessible)
• Source: Israeli Computer Emergency Response Team
• Classification: Regional threat intelligence bulletin

4. Technion Israel Institute of Technology Attack (MuddyWater)

• Attack Objectives: MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks
• Attribution: MuddyWater – Subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)
• Sectors Targeted: Telecommunications, Defense, Local Government, and Oil and Natural Gas
• Geographic Scope: Asia, Africa, Europe, and North America

5. US-CERT Alert AA22-320A – Iranian Government-Sponsored APT Actors

• Attack Objectives: CISA identified suspected APT activity on FCEB organization’s network, with crypto mining deployment and credential harvesting operations
• Initial Vector: Exploitation of CVE-2021-44228 (Log4Shell) in VMware Horizon servers
• Target: Federal Civilian Executive Branch (FCEB) organization
• Activities: Bi-directional traffic with malicious infrastructure, crypto mining, and credential harvesting

 6. US-CERT Alert AA22-264A – Iranian State Actors Against Albania

• Attack Objectives: Iranian-state cyber actors identifying as “HomeLand Justice” launched destructive cyber attack against the Government of Albania, which rendered websites and services unavailable
• Threat Group: HomeLand Justice
• Timeline: 14 months of persistence before launching destructive attack
• Initial Access: CVE-2019-0604 – Microsoft SharePoint exploitation
• Political Motivation: Anti-Mujahideen E-Khalq (MEK) messaging
• Destructive Capability: ZeroCleare destructive malware deployment

7. US-CERT Alert AA22-257A – IRGC Operations

• Attack Objectives: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
• Attribution: IRGC-Affiliated Actors
• Primary Activities: Data extortion and ransomware operations
• Target Profile: Critical infrastructure and government organizations

8. US-CERT Alert AA22-055A – MuddyWater Operations

• Attack Objectives: Iranian government-sponsored MuddyWater APT group conducting cyber espionage and other malicious cyber operations targeting government and private-sector organizations
• Threat Group: MuddyWater Earth Vetala MERCURY Static Kitten
• Vulnerabilities: CVE-2020-1472 (Netlogon), CVE-2020-0688 (Exchange)
• C2 Method: Telegram Bot API for command and control communications

 9. US-CERT Alert AA21-321A – Iranian Threat Actors

• Attack Objectives: Iranian government-sponsored APT cyber actors exploiting Microsoft Exchange and Fortinet vulnerabilities for espionage and network access operations
• Primary Vectors: Microsoft Exchange and Fortinet appliance vulnerabilities
• Target Scope: Government and private sector organizations globally

10. US-CERT Alert AA20-259A – Iranian Threat Actors (Pioneer Kitten)

• Attack Objectives: Maintaining persistence and exfiltrating data. Threat actor observed selling access to compromised network infrastructure in online hacker forums
• Threat Groups: Pioneer Kitten UNC757
• Vulnerabilities: Pulse Secure VPN, CVE-2019-19781 (Citrix), F5 vulnerabilities
• Financial Motivation: Contractor supporting Iranian government interests while serving own financial interests

11. US-CERT Alert AA20-296B – Iranian Election System Threats

• Attack Objectives: Iranian APT actors intent on influencing and interfering with U.S. elections to sow discord among voters and undermine public confidence in electoral process
• Information Operations: Fictitious media sites, spoofed legitimate media, and voter registration data dissemination
• Technical Capabilities: DDoS attacks, SQL injection, spear-phishing, website defacements, and disinformation campaigns
• Key Vulnerabilities: CVE-2020-5902 (F5 VPNs), CVE-2017-9248 (Telerik UI)

Threat Groups

Threat groups are collections of cyber actors or adversaries that are identified and tracked based on observed behavior, techniques, or attributions. These groups often share common tactics, techniques, and procedures (TTPs) that allow cybersecurity professionals to catalog and respond to their activities effectively. They can be state-sponsored or motivated by financial or political interests.

Attack scenarios within the SafeBreach platform associated with Threat Groups are typically designed based on the known activities of these groups, leveraging their specific TTPs to simulate attacks. For example, the SafeBreach platform includes scenarios and testing simulations that are based on documented advisories and reports from the MITRE ATT&CK framework to provide testing simulations that mirror the behavior of specific threat groups. These scenarios help organizations evaluate their security posture against the tactics employed by these groups.

Below, we’ve outlined the Threat Group attack scenarios specifically related to Iranian-backed cyber actors that are currently available within the SafeBreach platform. 

1. APT33 (Elfin, Peach Sandstorm)

• Attribution: Iran-linked state-sponsored group
• Primary Targets: Aviation, energy, government, and technology sectors globally
• Key TTPs: Spear-phishing with password-protected archives, PowerShell-based malware, credential harvesting, and lateral movement via SMB/RDP
• Notable Tools: SHAPESHIFT backdoor, DROPSHOT wiper, TURNEDUP backdoor

2. Magic Hound (APT35, Charming Kitten, TA453)

• Attribution: Iranian Intelligence and Security Ministry (MOIS)
• Primary Targets: Government officials, journalists, activists, and academic researchers
• Key TTPs: Social engineering via fake personas, credential harvesting through fake login pages, mobile malware deployment
• Notable Tools: MACDOWNLOADER, POWERBAND, fake VPN applications

3. OilRig (APT34, Helix Kitten, COBALT GYPSY)

• Attribution: Iranian state-sponsored group
• Primary Targets: Financial, government, healthcare, and telecommunications sectors in Middle East
• Key TTPs: Spear-phishing with malicious Excel documents, DNS tunneling, web shells, living-off-the-land techniques
• Notable Tools: HELMINTH backdoor, BONDUPDATER, ISMAgent, QUADAGENT

 4. Emennet Pasargad (Nemesis Kitten, Phosphorus)

• Attribution: Iranian state-sponsored group
• Primary Targets: Critical infrastructure, particularly water and wastewater systems
• Key TTPs: Exploitation of HMI software vulnerabilities, credential stuffing attacks, and targeting operational technology (OT) environments
• Notable Tools: Custom HMI exploitation tools, credential harvesting frameworks

5. MuddyWater (MERCURY, Static Kitten, Seedworm)

• Attribution: Iranian Ministry of Intelligence and Security (MOIS)
• Primary Targets: Government and telecommunications organizations across Asia, Europe, and North America
• Key TTPs: Multi-stage PowerShell-based attacks, legitimate cloud services for C2, and supply chain compromises
• Notable Tools: POWERSTATS backdoor, KOADIC framework, and custom PowerShell scripts 

6. CURIUM (DEV-0270)

• Attribution: Iranian state-sponsored group
• Primary Targets: Semiconductor and technology companies
• Key TTPs: Password spray attacks, exploitation of VPN vulnerabilities, and use of legitimate remote access tools
• Notable Tools: Custom implants, modified open-source tools, and legitimate remote admin tools

7. Copykittens (APT35 subset)

• Attribution: Iranian state-sponsored group
• Primary Targets: Israeli entities, defense contractors, and regional government organizations
• Key TTPs: Social engineering, watering hole attacks, zero-day exploits, and extensive reconnaissance
• Notable Tools: DOOKSDOOR backdoor and custom malware families 

8. Cleaver (Operation Cleaver, APT35 related)

• Attribution: Iranian state-sponsored group
• Primary Targets: Critical infrastructure, energy, transportation, and government sectors
• Key TTPs: Credential theft, lateral movement, data exfiltration, and destructive attacks on industrial systems
• Notable Tools: Custom backdoors, credential harvesting tools, and industrial system manipulation tools

9. Leafminer (RASPITE)

• Attribution: Iranian state-sponsored group
• Primary Targets: Government and business entities in Middle East, focusing on Saudi Arabia and UAE
• Key TTPs: Spear-phishing, exploitation of web applications, use of legitimate tools for persistenceNotable
• Tools: Custom implants, modified legitimate software, web shells

10. Ferocious Kitten (TA456)

• Attribution: Iranian state-sponsored group
• Primary Targets: Persian-speaking minorities, dissidents, and journalists
• Key TTPs: Social engineering via messaging applications, mobile malware deployment, long-term surveillance
• Notable Tools: FurBall Android malware, desktop surveillance tools

11. Strider (ProjectSauron, G0041)

• Attribution: Suspected nation-state actor (attribution disputed)
• Primary Targets: Government, diplomatic, scientific research, and military organizations
• Key TTPs: Highly sophisticated spear-phishing, custom implants, strong operational security, targeted approach
• Notable Tools: ProjectSauron platform, custom malware with unique artifacts per target 

12. APT39 (Chafer, Remix Kitten, TA454)

• Attribution: Iranian Ministry of Intelligence and Security (MOIS)
• Primary Targets: Telecommunications, IT services, and government organizations globally
• Key TTPs: Credential harvesting, lateral movement via remote access tools, extensive reconnaissance
• Notable Tools: SEAWEED implant, CACHEMONEY backdoor, POWBAT malware 

13. Fox Kitten (UNC757, Pioneer Kitten)

• Attribution: Iranian state-sponsored group
• Primary Targets: Critical infrastructure, particularly healthcare and government sectors
• Key TTPs: Exploitation of VPN vulnerabilities, initial access broker activities, ransomware deployment
• Notable Tools: Custom backdoors, legitimate remote access tools, various ransomware families 

14. Silent Librarian (TA407, COBALT DICKENS)

• Attribution: Iranian state-sponsored group linked to Mabna Institute
• Primary Targets: Academic institutions, universities, and research organizations globally
• Key TTPs: Spear-phishing with fake library login pages, credential harvesting, intellectual property theft
• Notable Tools: Fake academic portal websites, credential harvesting infrastructure

15. Cuboid Sandstorm (STRONTIUM subset)

• Attribution: Iranian state-sponsored group
• Primary Targets: Technology and defense organizations
• Key TTPs: Supply chain compromises, exploitation of cloud services, credential theft
• Notable Tools: Custom implants, cloud-based infrastructure abuse 

16. Ajax Security Team

• Attribution: Iranian hacktivist group
• Primary Targets: Various international organizations, particularly those perceived as adversarial to Iran
• Key TTPs: Website defacements, DDoS attacks, data breaches with public data dumps
• Notable Tools: Web application exploitation tools, DDoS frameworks

17. Moses Staff

• Attribution: Iranian state-sponsored group
• Primary Targets: Israeli organizations across multiple sectors
• Key TTPs: Destructive attacks, data wiping, psychological operations, public data leaks
• Notable Tools: StrifeWater wiper, PyDCrypt ransomware, DCSrv backdoor 

Conclusion

Iranian cyber operations represent a mature, multi-faceted threat that combines traditional espionage, criminal monetization, and destructive capabilities. The documented evolution from purely intelligence-focused operations to hybrid criminal-state partnerships indicates a strategic shift that requires updated defensive approaches and enhanced public-private cooperation. Organizations in targeted sectors should prioritize immediate defensive measures while preparing for potential escalation in both sophistication and destructive impact.

Explore how SafeBreach’s exposure validation platform empowers critical infrastructure and enterprise teams to test like real attackers—and prove they’re ready for Iranian-backed threats and more. See the platform platform solution brief, then schedule a personalized demo to see the platform in action.