Geopolitical strategy of Iran and the cyberattacks of APT33

Executive summary

The following report shows an analysis of several hybrid strategies that presumably Iran usually carries out against its national and international enemies. Currently, it is important to analyze how the Iranian Defense structures are composed to develop and execute from the State the cyberattacks and hybrid operations.

Moreover, in the report there is a descriptive analysis of an APT group supposedly related to Iran, APT33. The campaign showed in the report began in 2016 within the main goal to cyberattack organizations located in the USA, allied countries and Middle East. APT33 targets important governmental organizations and energetic organizations among others. Also, this report shows the “tools set” used by APT33, identifying the exploited vulnerability and providing the indicators of compromise (IOC) used in several campaigns to keep IT systems secure.

Introduction

The diplomatic and trading relationships between the United States and Iran in the last year has had an important rise of tension. The most relevant topics for both actors are the energetic resources in the Middle East and the development of the religious conflict between Shias and Sunni Muslim communities. These events have provoked an important rise of hostile policies and operations in several lines: economic sanctions, increase of the espionage operations and an increase of cyberattacks against critical infrastructures.

There are several APT groups that keep a presumable relation with the Ministry of Intelligence in the Iranian government. APT33 has been investigated by several cybersecurity companies that have attributed the responsibility of cyberattacks to organizations from energetic, governmental, research/development and chemical fields ([1]).

Iran has increased its military development and hybrid capabilities as the cyber offensive structures to compromise energetic critical infrastructures.

Strategic hybrid defense plan for the islamic republic of Iran:

The diplomatic relationships between the Republic of Iran and the main potential States of the Occident have been damaged to the point that Iran has become one of the most relevant geopolitical threats of the United States. Since the Islamic revolution in 1979, the degree of unrest of both States has been rising, triggering several hybrid and dissuasive operations.

Recently, in 2019, the diplomatic relationships are much damaged since the last commercial sanctions imposed by the United States against Iran. The Treasury Department of the United States has sanctioned 25 public Iranian organizations and 17 organizations linked to the defense sector and research in the Institute of Nuclear weapons of Iran ([12]). Moreover, the incident in the Strait of Hormuz on 13^th June 2019 increased the tension between the two countries. Two oil tankers from the Japanese organization Kokuka Courageous and the Norwegian Front Altair suffered an attack with an unclear attribution ([14]). The US government denounced the Islamic Revolutionary Guard Corps (IRGC) with a video where they appear removing a mine from one of the tankers ([15]). This accusation from the US government was rejected by the government of Iran.

Illustration 1 Incident location in the Strait of Hormuz

Since May 2019, the following maritime incidents have occurred in this region ([20]):

Six attacks against commercial vessels.

Shoot-down of U.S. Navy remotely piloted aircraft over international waters

Attempted at-sea interdiction of Isle of Man-flagged M/V British Heritage (oil tanker)

Seizure of ex-Panama-flagged M/V Riah (oil tanker)

Seizure of U.K.-flagged M/V Stena Impero (oil/chemical tanker)

Detention and subsequent release of Liberian-flagged M/V Mesdar (oil tanker)

All the recent incidents have been located on one of the most relevant maritime routes and to the oil field. This rise of tension would increase more attacks, military movements and hybrid operations with cyberattacks to governments and organizations in the energetic sector ([18]).

On the other hand, there are psychosocial factors that would increase the tension between both powerful States. In terms of sociocultural elements, the main differences that cause important difficulties reaching diplomatic agreements between these powerful countries are ([4]):

The United States is legally a secular State. However, the American society has strong religious values and the public scenario is quite full of religious signs and symbols. Conversely, Iran is a theocratic Republic based on Islam. Currently, both governments keep antagonistic State structures, these circumstances would hinder the understanding between both countries. ([4]).

Islam is the most important religion in Iran, around 80% of the Iranian population belong to the Shia confession ([6]). In the Shia branch the symbol of the martyr is highly relevant. This religious fact is important to understand the culture of Iran. This society has strong values that could clash with the Western values from the United Sates.

In general terms the hybrid defense of Iran is composed of the following characteristics ([4]):

Status and Influence: Iran has obtained the role of international representative of the “ummha”, the global Muslim community. This status allows Iran to develop an international influence over the Shia Muslim countries. Iran tries to defend its interests against the United States and its main partners in the Middle East: Israel and Saudi Arabia.

Development of softpower strategies: In terms of softpower, Iran has begun several defensive strategies through its media resources. The Iranian government promotes and spreads messages via public and private channels defending Middle Eastern interests in favor of the Shia international community. Several countries could get bipolarized by this softpower strategies as Syria, Iraq, Lebanon and Yemen ([12]). Once the society is fragmented, the Iranian government could promote the campaigns of existing Shiite parties.

Deterrence and defense: The main general interests that Iran tries to defend through a deterrence strategy are: direct attacks on the Nation-State, foreign intrusion into the oil trade, defense of the current regime and territorial integrity of the country.

Currently, Iran uses the possibility of blocking the Strait of Hormuz ([7]) as a deterrent measure against the hostile policies of the US and its allies. This action could provoke serious damages to the world energy economy, since 30% of world oil production passes daily along this route that links the Persian Gulf with the Indian Ocean. It is important to note that all petroleum products from the Gulf countries converge on the strait, including exports of crude oil and liquefied natural gas from Iran, Iraq, Kuwait, Bahrain, Qatar, Saudi Arabia and the United Arab Emirates ([4]).

Another important deterrent measure developed by the government of Iran has been the promoting strategy of the “proxy and unconventional military forces”. Hezbollah is a terrorist group supposedly promoted and funded by the government of Iran. This terrorist group was born in Lebanon in 1982 as a political party. It began its terrorist activity against Israel during the war of Israel against Lebanon in the current “blue line” ([8]).

Through the promotion of Hezbollah, Iran has developed a proxy to carry out paramilitary actions in non-Iranian states. Through these resources, Iran tries to defend Shiite interests within the Middle East. Recently, they have extended their recruitment and financing activities to South America, specifically in Brazil, Paraguay, Argentina and Venezuela. Hezbollah’s activity in these regions is linked to drug trafficking looking for funding the terrorist group ([9]).

The development of cyber defense structures in Iran has been one of the most important priorities. The high activity and sophistication in their cyberattack operations made Iran one of the States with important relevance in cyber espionage ([4]). It is also important to mention that the cyberattacks that have been carried out by APTs supposedly related to the government of Iran target critical infrastructure from the energy sector.

Furthermore, the current US government has declared that Iran includes in its strategic defense plan cyber-attacks on the critical infrastructure of the United States and those countries allied with it. These cyberattacks would be a “DoS attack” ([11]) ([12]).

Increase of the hybrid and cyber capabilities of Iran

Iran began its development of hybrid capabilities and asymmetric warfare between 2009 – 2010 after suffering the Stuxnet cyber-attack, which was presumably attributed to Israel and the United States ([2]). Then, after two years, there were several cyberattacks towards important entities linked to the United States, as in the case of the American Bank. The following chart shows the most relevant cyberattacks attributed to APT with presumably connections to the Iranian Ministry of Intelligence Service (MOIS) ([2]) ([11]):

Chronology of high relevance cyber attacks with pressumably attribution to Iran

Actor	Duration	Goals
Social Media	2011 – 2017	Cyber operation that was carried out through fake accounts and “bots” in social networks to generate misinformation in the US society.
Cleaver	2012 – 2014	Operation for industrial and government espionage purposes.
Ababil	Dec. 2011 – May 2013	DoS cyber-attacks on companies in the financial sector belonging to the US.
Shamoon	August of 2012	The Saudi energy company Aramco was the victim of a destructive malware wiper attack.
Bowman	August – Sep. 2013	The Bowman’s energetic company in NY was compromised.
Saffron Rose	2013 – 2014	This campaign targeted the IT systems of the US defense industry and the Iranian regime’s dissidents located abroad.
Sands Coorp.	2014	Cyberattack against Las Vegas Sands Corporation.
Thamar Reservoir	February 2014	Cyber espionage operation aimed to the research centers, journalists and Middle Eastern activists.
APT OilRig	2017 – 2018	Exfiltration of confidential information from companies of the energetic and governmental fields.
Shamoon 2	Nov. 2016 January 2017	Cyber espionage operation that targeted several Saudi Ministries.
HBO	May 2017	Cyber espionage operation with the aim of stealing confidential information from HBO.
Leafminer	2017 – 2018	Threat group that targeted governments and important organizations located in the Middle East.
APT 33	2016 – 2019	Cyber espionage campaign focused on organizations from the aerospace, energy and chemical fields.

The chart below shows Iran’s governmental structure that is supposedly responsible for the malicious cyber-attack campaigns through their APT groups ([3]):

Governmental structures of Iran presumably related to cyberattacks

Supreme National Council of Cyberspace	It is in charge of lawmaking, approving and implementing the laws related to the cyber sector. It is led by the President of the Republic and the Council of Ministers.
National Cyberspace Council	It is the body that is responsible for defending the Islamic Republic against cyberattacks that may affect the State of the Nation.
Islamic Revolutionary Guard Corps (IRGC)	Represents the public body that allegedly manages the APT groups associated with the current government of Iran. – IRG Electronic warfare and cyberdefence organization: is responsible for the management of training courses for internal staff and the censorship of online public content. – Basij Cyber Council: Represents the body that focuses on operations to compromise the enemy regimes. – Center for the investigation of organized crime: Center focused on the identification of targets against the Iranian government. Finally they carry out cyberattacks towards the mentioned targets.
Armed Forces General Staff	It is the body in charge of coordinating policies and operations between the IRGC and the regular army. – Cyber Headquarters: Coordinate and execute defensive cyber operations to neutralize the main cyber threats of the Islamic Republic.
Ministry of Intelligence and Security	Responsible for Signal Intelligence
Ministry of Interior	Ministry in charge of managing the State Security Forces.
Iran Cyber Police	Organization responsible for controlling illegal cyber activities and movements of dissidents.

APT 33 and the energy sector

APT 33, also known as Elfin Group has kept a notable activity during the last three years. Its target is generalist although a large part of the victims are usually located in Saudi Arabia or in the US. This APT group is presumably attributed to the government of Iran. From 2016 until 2019 more than 50 organizations have been engaged in the following countries ([10]):

As aforementioned, the main geopolitical global enemy of Iran is the US and its main regional enemy in the Middle East is Saudi Arabia. The graph shows that the results perfectly correlate with the geopolitical targets of the same state actors mentioned.

APT 33 focuses its cyberattacks on organizations of the sectors: government, energy, R&D, chemical, finance, health and IT. Activity of APT 33 from 2016 to 2019 ([10]):

During February 2019, APT 33 exploited the CVE-2018-20250 vulnerability in WinRAR. The malicious document received, by spear phishing, kept the name “JobDetails.rar” ([10]).

The following part shows the toolset pack used by APT 33:

Notesuk (Backdoor.Notestuk): Malware that accesses the backdoor of the compromised system and collects information.

Stonedrill (Trojan.Stonedrill): Malware that contains the functionality to collect documents and destroy any component of the “master boot record”.

Autolt backdoor: Through a script with Autolt language, a custom backdoor is created for the system that has been compromised.

Remcos (Backdoor.Patpoopy): It is a RAT that allows you to steal information from the system that has been infected.

DarkComet (Backdor.Breut): RAT that allows you to open the backdoor of an infected system.

Quasar RAT (Trojan.Quasar): This RAT can be used to carry out credential theft.

Pupy RAT (Backdoor.Patpoopy): RAT that allows you to open the backdoor and infect the system.

NanoCore (Trojan.Nancrat): RAT used to steal credentials through a backdoor.

Netweird (Trojan.Netweird.B): Trojan that is able to open the backdoor and steal information from compromised systems. You can also download malicious files.

LaZagne (SecuriyRisk.LaZagne): Tool to retrieve credentials.

Mimikatz (Hacktool.Mimikatz): Tool to steal credentials.

Gppassword: Tool to obtain the described passwords of the compromised system.

Sniffpass (SniffPass): Tool to steal the passwords used in the compromised system and to obtain the network traffic.

It should be mentioned that several cybersecurity companies have linked APT 33 with the Shamoon group and the Stonedrill malware, a “toolset” used by the two groups to cyberattack organizations from the energetic sector in Saudi Arabia ([13]).

Conclusions:

Iran is presumably developing hybrid and softpower strategies to influence the social imbalance of the countries of the Middle East in order to establish a political influence. Currently, Iran uses geostrategic techniques such as the blockade of the Strait of Hormuz, hybrids such as the terrorist activity of Hezbollah and cyberattacks and softpower such as misinformation for the social imbalance of a State.

Alleged state structures that are allegedly responsible for cyberattacks against countries and individuals opposed to the regime have been detected. These state structures are supposedly linked to APT specialized in cyberattacking energy organizations. For the last three years APT 33 has maintained a remarkable activity against organizations in the energetic sector. One of the most used vulnerabilities by this APT group has been CVE-2018-20250 in WinRAR.

The WINRAR update is recommended in order to prevent any possible exploitation of the vulnerability and IOC processing provided in the Lab52 platform.

References:

[1] Black Hat Ethical Hacking. (2019, 28 marzo). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. https://www.blackhatethicalhacking.com/elfin-target-multiple-organazations-us-saudi-arabia

[2] FOUNDATION FOR DEFENSE OF DEMOCRACIES. (2018). Evolving Menace Iran’s Use of Cyber-Enabled Economic Warfare. https://www.fdd.org/wpcontent/uploads/2018/11/REPORT_IranCEEW.pdf

[3] Federal Research Division of the Congress of the USA. (s.f.). Iran’s Ministry of Intelligence and Security: a profile. Recuperado de https://fas.org/irp/world/iran/mois-loc.pdf

[4] Middle East Studies at the Marine Corps University. (2015). The Strategic Culture of the Islamic Republic of Iran Religion, Expediency, and Soft Power in an Era of Disruptive Change. Recuperado de https://www.washingtoninstitute.org/uploads/Documents/pubs/MESM_7_Eisenstadt.pdf

[5] Esteban Torres. (2013). La ley general del poder. Recuperado de https://estudiossociologicos.colmex.mx/index.php/es/article/view/105/105

[6] Russia Today. (2015). Sunitas y chiitas: ¿Qué es lo que los separa? Recuperado de https://actualidad.rt.com/actualidad/167320-sunitas-chiies-diferencias-conflicto

[7] BBC. (2019). Ormuz, el estrecho clave que enfrenta a EE.UU. e Irán por el que se transporta la tercera parte del petróleo del mundo. Recuperado de https://www.bbc.com/mundo/noticias-internacional-44947623

[8] Infobae. (s.f.). Seis claves para comprender qué es Hezbollah. Recuperado de https://www.infobae.com/2013/07/22/1072760-seis-claves-comprender-que-es-hezbollah/

[9] The Hill. (2018). Washington’s silent war against Hezbollah in Latin America. Recuperado de https://thehill.com/opinion/international/409820-washingtons-silent-war-against-hezbollah-in-latin-america

[10] Symantec. (2019). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Recuperado de https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

[11] F-Secure. (2018). The State of a Station A report on attackers in the energy industry. Recuperado de https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/04/15105531/F-Secure_energy_report.pdf

[12] World Aware. (2019). Rising Tensions between US and Iran US Designates IRGC as Foreign Terrorist Organization. Recuperado de https://www.worldaware.com/resources/blog/rising-tensions-between-us-and-iran

[13] The National CSIRT-CY. (2019). Iran Based Elfin Group (APT33) Continues to Attack Firms. Recuperado de https://csirt.cy/iran-based-elfin-group-apt33-continues-to-attack-firms/

[14] CNBC. Why Iran’s forcé would blow up foreign tankers near Strait of Hormuz. https://www.cnbc.com/2019/06/20/why-irans-forces-would-blow-up-foreign-tankers-near-strait-of-hormuz.html

[15] CNBC. US Military releases new images of Japanese oil tanker. https://www.cnbc.com/2019/06/17/us-military-releases-new-images-of-japanese-oil-tanker-attack.html

[16] BBC. World Middle East. https://www.bbc.com/news/world-middle-east-48700965

[17] JPOST. Middle East. Trump approved military action against Iran and changed his mind. https://www.jpost.com/Middle-East/Trump-approved-military-action-against-Iran-And-changed-his-mind-593223

[18] NY Times. Oil tankers attacks Strait Hormuz. https://www.nytimes.com/2019/06/13/business/oil-tanker-attacks-strait-hormuz.html

[19] Aljazeera. Oil prices surge Iran shoots drone https://www.aljazeera.com/ajimpact/oil-prices-surge-iran-shoots-drone-190620085950312.html

[20] https://www.gpsworld.com/iran-jams-gps-on-ships-in-strait-of-hormuz/

ANEX:

Image 1. Supposal location of the headquarters of the Ministry of Intelligence and Security of Iran