National Cyber Warfare Foundation (NCWF)

Frequently Asked Questions About Iranian Cyber Operations


0 user ratings
2025-06-27 12:16:06
milo
Blue Team (CND)

Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.


Background


Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists.


This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.


FAQ


Has there been an increase in threat activity related to Iran-based threat actors?


While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks.


Which threat actors are believed to be Iran-based or linked to the Iranian government?


In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.
















































Threat actorActivity
HomeLand JusticeCarried out destructive attacks against the Government of Albania in 2022, utilizing ransomware and disk wiping malware.

Pioneer Kitten


Fox Kitten


UNC757


Parisite


RUBIDIUM


Lemon Sandstorm


Br0k3r


xplfinder


Collaborates with ransomware groups in order to monetize access to victim networks. Known to exploit common and well-known vulnerabilities in internet-facing devices and critical infrastructure.
CyberAv3ngersAttacked and defaced OT devices, including Unitronics PLC devices commonly used in water and wastewater systems.

APT35


CALANQUE


Charming Kitten


CharmingCypress


ITG18


Mint Sandstorm (formerly Phosphorus)


Newscaster


TA453


Yellow Garuda


Educated Manticore


APT42*


Agent Serpens


UNC788



Social engineering campaigns targeting journalists and internet-facing applications


*APT42 is a subcluster of APT35 and also poses as journalists in order to harvest credentials. Some aliases overlap between these groups.



APT34


OilRig


Helix Kitten


Hazel Sandstorm


Earth Simnavaz


Exploits internet-facing servers and uses supply chain attacks to target finance, energy, chemical, telecommunications and government sectors.

MuddyWater


Earth Vetala


MERCURY


Static Kitten


Seedworm


TEMP.Zagros


Uses remote monitoring and management tools to target telecom companies in the Middle East and North Africa, Europe and North America.

Agrius


Pink Sandstorm


Targets Israeli companies with wiper malware disguised as ransomware
Imperial KittenAn APT group that has targeted Israeli transportation/logistics and technology sectors

Banished Kitten


Dune


Known as "Faketivist" for its attempts to masquerade as hacktivist groups due to their adoption of TTPs used by hacktivist groups


What are the vulnerabilities that have been targeted by Iranian threat actors?


The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.




























































































































































































CVEDescriptionCVSSv3 ScoreVPR
CVE-2017-11774Microsoft Outlook Security Feature Bypass Vulnerability7.88.9
CVE-2018-13379Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3]9.89.0
CVE-2019-0604Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1]9.88.9
CVE-2019-11510Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4]10.08.1
CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9]9.88.9
CVE-2019-5591Fortinet FortiOS Default Configuration [1] [2]6.56.6
CVE-2020-12812Fortinet FortiOS Improper Authentication [1] [2]9.88.9
CVE-2020-1472Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5]1010
CVE-2021-31207Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3]6.66.6
CVE-2021-34473Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3]9.89.2
CVE-2021-34523Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3]9.09.6
CVE-2021-44228Apache Log4j RCE (Log4Shell) [1] [2] [3] [4]1010
CVE-2021-45046Apache Log4j2 Denial of Service (DoS) and RCE [1] [2]9.08.1
CVE-2021-45105Apache Log4j2 DoS [1] [2]5.96.6
CVE-2022-1388F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3]9.89.0
CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection [1] [2]9.89.6
CVE-2022-30190Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3]7.89.8
CVE-2022-42475Fortinet ForiOS Heap-Based Buffer Overflow [1] [2]9.88.9
CVE-2022-47966Zoho ManageEngine RCE [1]9.89.7
CVE-2022-47986IBM Aspera Faspex RCE9.89.0
CVE-2023-27350PaperCut NG Authentication Bypass9.89.0
CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2]9.89.0
CVE-2023-38831RARLAB WinRAR Arbitrary Code Execution7.89.7
CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2]8.26.7
CVE-2023-6448Unitronics VisiLogic Default Administrative Password9.87.4
CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3]9.19.8
CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability [1] [2]8.67.1
CVE-2024-30088Windows Kernel Elevation of Privilege Vulnerability [1] [2]7.09.6
CVE-2024-3400Palo Alto PAN-OS Command Injection Vulnerability [1] [2]10.010.0


*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time.


Has Tenable released any product coverage for these vulnerabilities?


The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:



These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors.


Tenable attach path techniques
































































































































MITRE ATT&CK IDDescriptionTenable attack path techniques
T1003.001OS Credential Dumping: LSASS MemoryT1003.001_Windows
T1012Query RegistryT1012_Windows
T1021.001Remote Services: Remote Desktop ProtocolT1021.001_Windows
T1047Windows Management InstrumentationT1047_Windows
T1053.005Scheduled Task/Job: Scheduled TaskT1053.005_Windows
T1059.001Command and Scripting Interpreter: PowerShellT1059.001_Windows
T1068Exploitation for Privilege EscalationT1068_Windows
T1069.002Permission Groups Discovery: Domain GroupsT1069.002_Windows
T1069.003Permission Groups Discovery: Cloud Groups

T1069.003_Azure


T1069.003_AWS


T1078.001Valid Accounts: Default AccountsT1078.001_ICS
T1078.002Valid Accounts: Domain AccountsT1078.002_Windows
T1078.003Valid Accounts: Local AccountsT1078.003_Windows
T1078.004Valid Accounts: Cloud AccountsT1078.004_Azure
T1082System Information DiscoveryT1082
T1098Account Manipulation

T1098.001_Azure


T1098.001_AWS


T1098.003_Azure


T1098.004


T1133External Remote Services

T1133_AWS


T1133_Azure


T1133_Windows


T1190Exploit Public-Facing ApplicationT1190_Aws
T1219Remote Access SoftwareT1219_Windows
T1482Domain Trust DiscoveryT1482_Windows
T1484.002Domain or Tenant Policy Modification: Trust ModificationT1484.002_Azure
T1499Endpoint Denial of ServiceT1499.004
T1555Credentials from Password Stores

T1555.004_Windows


T1555.006


T1558.003Steal or Forge Kerberos Tickets: KerberoastingT1558.003_Windows


Tenable Identity Exposure Indicators of Exposure and Indicators of Attack































































MITRE ATT&CK IDDescriptionIndicators
T1003.001OS Credential Dumping: LSASS Memory

C-PROTECTED-USERS-GROUP-UNUSED


I-ProcessInjectionLsass


T1068Exploitation for Privilege EscalationI-SamNameImpersonation
T1078Valid Accounts

C-AAD-PRIV-SYNC


C-AAD-SSO-PASSWORD


C-ADM-ACC-USAGE


C-ADMIN-RESTRICT-AUTH


C-ADMINCOUNT-ACCOUNT-PROPS


C-AUTH-SILO


C-BAD-SUCCESSOR


C-CLEARTEXT-PASSWORD


C-DANG-PRIMGROUPID


C-DANGEROUS-SENSITIVE-PRIVILEGES


C-DC-ACCESS-CONSISTENCY


C-DSHEURISTICS


C-EXCHANGE-MEMBERS


C-KERBEROS-CONFIG-ACCOUNT


C-KRBTGT-PASSWORD


C-MSA-COMPLIANCE


C-NATIVE-ADM-GROUP-MEMBERS


C-PASSWORD-DONT-EXPIRE


C-PASSWORD-HASHES-ANALYSIS


C-PASSWORD-NOT-REQUIRED


C-PASSWORD-POLICY


C-PKI-DANG-ACCESS


C-PRIV-ACCOUNTS-SPN


C-PROP-SET-SANITY


C-REVER-PWD-GPO


C-SERVICE-ACCOUNT


C-SLEEPING-ACCOUNTS


C-USER-PASSWORD


HIGH-NUMBER-OF-ADMINISTRATORS


MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT


MISSING-MFA-FOR-PRIVILEGED-ACCOUNT


T1078.001Valid Accounts: Default Accounts

UNRESTRICTED-GUEST-ACCOUNTS


C-GUEST-ACCOUNT


GUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLE


GUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTS


T1098Account Manipulation

C-AAD-CONNECT


C-ABNORMAL-ENTRIES-IN-SCHEMA


C-CREDENTIAL-ROAMING


C-DANG-PRIMGROUPID


C-DC-ACCESS-CONSISTENCY


C-EXCHANGE-PERMISSIONS


C-PROP-SET-SANITY


C-SDPROP-CONSISTENCY


C-SENSITIVE-CERTIFICATES-ON-USER


C-SHADOW-CREDENTIALS


CONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATION


ENTRA-SECURITY-DEFAULTS-NOT-ENABLED


LEGACY-AUTHENTICATION-NOT-BLOCKED


MFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLE


MFA-NOT-REQUIRED-FOR-RISKY-SIGN-INS


MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT


MISSING-MFA-FOR-PRIVILEGED-ACCOUNT


SHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONS


USER-WITH-API-TOKEN


T1110Brute Force

C-PASSWORD-HASHES-ANALYSIS


C-PASSWORD-POLICY


I-PasswordSpraying


T1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION
T1589Gather Victim Identity Information

C-DSHEURISTICS


C-PRE-WIN2000-ACCESS-MEMBERS


T1556Modify Authentication Process

C-AAD-PRIV-SYNC


C-SHADOW-CREDENTIALS


T1558.003Steal or Forge Kerberos Tickets: Kerberoasting

I-Kerberoasting


I-UnauthKerberoasting




Tenable Web App Scanning


















MITRE ATT&CK IDDescriptionIndicators
T1190Exploit Public-Facing ApplicationT1190_WAS


Tenable OT Security


















MITRE ATT&CK IDDescriptionIndicators
T0812Exploit Public-Facing ApplicationT0812_ICS


What else should I do to remain secure?


Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend:



  • Using strong passwords and enforcing a strong password policy

  • Enabling multi-factor authentication (MFA)

  • Changing default passwords, especially on OT hardware

  • Patching vulnerabilities in assets exposed to the internet

  • Identifying and prioritizing your most valuable assets for remediation

  • Developing a remediation plan and continuing to test and improve it


Get more information



Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.


Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



The post Frequently Asked Questions About Iranian Cyber Operations appeared first on Security Boulevard.



Research Special Operations

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/06/frequently-asked-questions-about-iranian-cyber-operations/?utm_source=rss&utm_medium=rss&utm_campaign=frequently-asked-questions-about-iranian-cyber-operations


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.