HC3 document provides analysis of Iranian cyber attack landscape, provides TTPs,  potential mitigations

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) provided the healthcare sector with an analysis of the Iranian cyber attack landscape, Iranian cyber threat hackers, and cyberattacks in the news. The HC3 document also throws light on the attack analysis adopted, tactics, techniques, and procedures (TTPs) used, and potential mitigations used by these hacker groups. 

Iranian cyber attacks are known to engage in website defacement, spear phishing, distributed denial-of-service (DDoS), theft of personally identifiable information (PII), malware, and social media-driven operations, the HC3 identified in a recent document. The hackers have historically been assessed as being ‘risk-averse’ hackers. Cyber provides a means to exploit enemy vulnerabilities while minimizing the risk of escalation/retaliation. They are also notorious for wiper malware and retaliatory attack strategies. 

It also revealed the exploitation of Log4j, Microsoft Exchange ProxyShell, Microsoft Exchange, and Fortinet FortiOS vulnerabilities by hackers for initial access. It also identified the utilization of legitimate file-sharing services to distribute files containing remote access software to distribute malware, and extensive use of DNS tunneling for command and control (C2).

The HC3 document disclosed that in January and March last year the Iranian Cyber Attack Landscape undertook two recent and notable agreements. In March, a 25-year cooperation agreement was signed establishing a partnership focused on economic and defense collaboration, including joint training, exercises, research, weapons development, and intelligence sharing. Additionally, China has offered to help Iran deploy greater internet censorship, the agency added.

Last January, a cooperation agreement on cybersecurity and information and communications technology was signed with Russia establishing technology transfer, combined training, and cybersecurity cooperation. The agreement was largely defense-oriented and driven by a mutual animosity toward the U.S. It also desired greater censorship, with an ambition to reduce dependence on Western technology.

The HC3 document identified that the TTPs included spear phishing as a common initial intrusion vector, social engineering lures, and watering holes. It also identified the usage of multi-staged attacks using weaponized documents, known productivity software vulnerabilities, and PowerShell backdoors. The HC3 document also revealed the use of drive-wiping malware, leveraging of domains resembling legitimate web services and businesses relevant to the intended target, and credential harvesting and use of compromised accounts.

Some of the better-known Iranian hackers include Charming Kitten, Static Kitten, Pioneer Kitten, Remix Kitten, Helix Kitten, Refined Kitten, Magic Kitten, Infy, and UNC3890. 

Charming Kitten has been associated with Islamic Revolutionary Guard Corps (IRGC), which is also known as TA453, Cobalt Illusion, Magic Hound, ITG18, Phosphorus, Newscaster, and APT35. The known targets identified in the HC3 document include medical researchers, dissidents, diplomats, human rights activists, media, government, military, energy, and telecommunications installations.

The TTPs use spear phishing as a common initial intrusion vector (often using lures related to health care, job postings, resumes, or password policies). It also leverages fake personas and social media platforms to interact with their targets, watering hole attacks using compromised legitimate websites that are relevant to their targeted victims, and includes impersonations of online sites (Google, Microsoft, Yahoo) to harvest user credentials. 

Targeted at telecommunications, IT, oil and gas, NGOs, tourism, and academia, the Static Kitten hackers are also known as Earth Vetala, Mercury, MuddyWater, Seedworm, and TEMP.Zagros. The TTPs deployed include spear phishing as a common initial intrusion vector, use of a PowerShell backdoor known as POWERSTATS, weaponization of stolen legitimate documents, and use of legitimate file-sharing services to distribute files containing remote access software to distribute malware. 

Also known as UNC757, Parisite, and Fox Kitten, Pioneer Kitten has been known to target organizations with healthcare, technology, government, defense, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail sectors. Typical TTPs include the exploitation of VPNs and other network appliances, the use of Secure Shell (SSH) tunneling to facilitate RDP (Remote Desktop Protocol) access to victims, and the use of custom open-source and legitimate native software tools. 

Associated with the Iranian Ministry of Intelligence and Security (MOIS), Rana Intelligence Computing, the Remix Kitten also called APT39, Chafer, Cadelle, ITG07 has been known to target organizations within the telecommunications, aviation, IT, travel, and government sectors. 

The TTPs include spear phishing, leveraging of domains resembling legitimate web services and businesses relevant to the intended target, and Structured Query Language (SQL) injection attacks via front-end web servers. It also uses custom backdoors combined with publicly available software tools, exploitation of a target’s vulnerable web servers to install web shells, and use of stolen legitimate credentials to compromise externally facing Outlook Web Access resources. 

Known to target healthcare, shipping, government, and energy organizations, UNC3890 has been known to adopt social engineering lures, watering holes, fake commercials for AI-based robotic dolls, and credentials harvesting by masquerading as legitimate services. It also uses Sugarush, a backdoor written to establish a connection with an embedded C2 and to execute CMD commands, and Sugardump, a credential harvesting utility, capable of password collection from Chromium-based browsers. 

The HC3 document calls for a host of mitigation measures including user training on spotting phishing and how to report it, and for training on social engineering. It also suggests a review of Log4j vulnerabilities, Microsoft Exchange ProxyShell vulnerabilities, and Microsoft Exchange vulnerabilities. The agency also recommends investigating exposed Microsoft Exchange servers, both patched and unpatched, for compromise, and review of Fortinet FortiOS vulnerabilities. It also advises looking for WinRAR and FileZilla in unexpected locations. 

The agency also calls for action towards implementing network segmentation to restrict a malicious threat actor’s lateral movement, maintaining offline backups of data, and regularly testing backup and restoration. It also recommends ensuring all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

The HC3 document also suggests reviewing antivirus logs for indications that they were unexpectedly turned off It further calls for auditing user accounts with administrative privileges and configuring access controls under the principles of least privilege and separation of duties, having an IR (Incident Response) plan and regularly conduct exercises that utilize it, using strong passwords and implement multi-factor authentication, and requiring administrator credentials to install the software.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.