Freely subscribe to our NEWSLETTER

Escalated tensions between Iran and Israel could give rise to cyber threats.
Several advanced persistent threat (APT) groups are involved on both sides: APT34, APT35, and CyberAv3ngers in Iran, and Predatory Sparrow in Israel.
Iranian-affiliated APTs utilize a wide array of TTPs, including spearphishing and drive-by compromise, to significantly expand the attack surface for companies with ties to Israel or Israeli vendors.
At-risk organizations can take basic measures to protect themselves from these APT groups, including user training, regular patching, and network segmentation.

This report examines three prominent advanced persistent threat (APT) groups (APT34, APT35, and CyberAv3ngers) based in or linked to Iran, known for targeting Israel and its associated entities. Additionally, the report includes a concise overview of a group (Predatory Sparrow) focusing on Iranian targets that is believed to be connected to Israel. We also delve into the common tactics, techniques, and procedures (TTPs) these groups utilize and present key advice for detection and mitigation of these threats. This report is particularly valuable for organizations engaged in business with Iran or Israel or their vendors or suppliers.

Iranian Threats

Strategic deployment of APT and hacktivist groups is a key component of Iran’s cyber warfare tactics. These groups are often ideologically driven, aiming to gather intelligence and disrupt the normal functioning of critical infrastructure and corporate entities. By infiltrating networks through sophisticated spearphishing campaigns, exploiting zero-day vulnerabilities, and deploying bespoke malware, these groups can steal sensitive information, damage systems, and cripple financial operations, causing significant economic and reputational harm.

Israeli government and military organizations and companies in integral business industries like finance, energy, telecommunications, and technology are natural targets whose disruption could undermine Israel’s economic stability and international standing. However, the threat from Iranian APT and hacktivist group also extends further:

For foreign companies that conduct business with Israel-based firms or that operate within Israel: Cyber attacks by Iran-linked groups on these companies could result in severe operational disruptions and financial losses. The outcomes may include data breaches, compromise of sensitive information, significant operational downtime, and possibly reputational damage that could impact the company in other markets globally.
For companies based outside Israel that use Israeli-based suppliers: If targeted by cyber attacks, these companies could face major supply-chain disruptions. The immediate effects could involve delays in product delivery, increased operational costs, and potentially a halt in production, affecting not just the directly targeted companies but also downstream customers relying on their products or services. Such a situation is especially concerning for companies or organizations that use operational technology (OT) to operate critical infrastructure, such as water treatment plants, electricity or other energy grids, and healthcare services.
For critical sector organizations in the US and UK:Targeted cyber attacks against these entities could severely disrupt essential services, including power, water, and healthcare systems. The strategic response from these nations, coupled with their technological and infrastructural significance, makes them prime targets for cyber operations with the intent of undermining their support for Israel. Such attacks could not only compromise public safety and national security but also provoke economic instability by disrupting critical infrastructure.
For companies operating in Middle Eastern countries that supported Israel’s response:Cyber attacks by Iran-linked groups carry substantial risks, given these countries’ strategic economic roles and geopolitical positions. In Jordan, cyber operations targeting the vital tourism and export sectors could lead to extensive economic repercussions amid an already dim economic outlook. The potential impact of such cyber attacks is even more significant in Saudi Arabia and the UAE, where attacks on oil and gas facilities could disturb global energy markets. Additionally, the UAE’s tech and finance sectors are liable to be prime targets for Iranian cyber attacks, which could erode investor confidence and inhibit innovation, affecting both the local economy and international investments.

This report profiles three Iranian-linked APT groups, outlining their tactics, techniques, and procedures (TTPs), while also providing customers with detection and mitigation strategies: APT34, is highlighted for its long-standing operations. APT35 is examined for its extensive campaigns against government, defense, and critical infrastructure entities in America, Europe, and the Middle East, utilizing spearphishing, social engineering, and bespoke malware. Lastly, the focus shifts to CyberAv3ngers, a group specializing in attacks on industrial control and operational technology systems, particularly through internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMI). This exploration emphasizes the growing convergence of IT and OT systems, underscoring the expanded attack surface and the internet as a prevalent entry point for cyber attacks

APT34

The cyber espionage group APT34 (aka Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten) focuses on infiltrating and conducting operations against high-value entities in the Middle East, including government bodies, critical infrastructure, telecommunications networks, and pivotal regional organizations. Its varied arsenal of techniques includes social engineering attacks via legitimate social networking sites, destructive operations using wiper malware, and exploiting trusted relationships to compromise supply chains. The following TTPs have featured prominently in many of the group’s campaigns.

T1566: Spearphishing Attachment

APT34 favors spearphishing to secure initial entry into target systems. The group employs social engineering tactics, often by attaching Microsoft Office or PDF documents laden with malware to its deceptive emails. To tackle the threat of spearphishing attacks, organizations should consider:

Educating employees on the risks of spearphishing attacks, emphasizing the importance of scrutinizing email attachments and links, even if they appear to come from legitimate sources.
Limiting user access rights within the organization to the minimum necessary to perform duties.
Deploying sophisticated email filtering solutions that can detect and quarantine emails containing malicious attachments or suspicious links, particularly those mimicking Microsoft Office or PDF formats.

T1059: Command and Scripting Interpreter: PowerShell

APT34 has exploited PowerShell-based backdoors in cyber attacks across the Middle East, leveraging PowerShell’s ostensibly legitimate capabilities to create fileless malware that leaves no on-disk traces. This method allows for complex operations within the operating system, data exfiltration, and lateral network movement. Continuous reloading of malicious code into memory also ensures attacker persistence within compromised systems. To mitigate this technique, organizations should:

Implement robust logging and monitoring of PowerShell activity to detect unusual or unauthorized commands that could indicate malicious behavior.
If PowerShell usage is essential, limit its execution policy solely to administrators. Using PowerShell JEA (Just Enough Administration) can also help confine administrative tasks by restricting the commands that admins or users can run during remote PowerShell sessions.
Regularly educate and train IT staff and system administrators on the potential misuse of PowerShell, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

T1078: Valid Accounts

APT34 infiltrates systems by using legitimate credentials obtained from phishing or other means, enabling it to move laterally within networks undetected. This method allows the group to discreetly explore and exfiltrate sensitive data. Compromised credentials can be used to circumvent access controls across network systems, allow persistent remote system access via services like virtual private networks (VPNs) and remote desktops, and may enable attackers to access restricted network areas or obtain elevated system privileges. Combat this tactic by:

Enforcing multifactor authentication (MFA) across all user accounts to add an additional layer of security, which can significantly reduce the risk of unauthorized access even if credentials are compromised.
Conducting frequent audits of user accounts and monitoring for unusual activity patterns.
Regularly educating and training IT staff and system administrators on the potential misuse of valid accounts, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

APT35

Security researchers have linked APT35 (aka COBALT MIRAGE, PHOSPHORUS, G0059, NewsBeef, Charming Kitten, Magic Hound, TunnelVision, Ajax Security, Newscaster Team) to the Islamic Revolutionary Guard Corps (IRGC). The group conducts long-term, resource-intensive campaigns primarily targeting American, European, and Middle Eastern government, defense, and critical infrastructure organizations. APT35 primarily conducts cyber espionage using spearphishing, social engineering, and custom malware techniques; however, it has also exploited Microsoft BitLocker to encrypt targets’ data in exchange for ransom payments. Despite APT35’s adoption of diverse strategies, three specific TTPs are common vectors in its campaigns:

T193: Spearphishing Attachment

In one notable example of this tactic in use, APT35 was linked with a phishing campaign that targeted an Israeli journalist, using a fake draft report as bait. This deceptive draft report came as a password-protected RAR file that embedded a harmful LNK file designed to deploy the “PowerStar” malware—a refined variant of its established backdoor named “CharmPower.”

The following recommendations can help defend against spearphishing.

Deploy data loss prevention (DLP) solutions to monitor and control data transfers, preventing sensitive information from being leaked or sent to unauthorized recipients.
Implement protocols like Sender Policy Framework (SPF); DKIM; or Domain-based Message Authentication, Reporting & Conformance (DMARC) to help detect and prevent email spoofing, making it harder for attackers to impersonate legitimate entities.
Conduct mock spearphishing campaigns to test employee awareness and preparedness, providing feedback and training as needed.

T1189: Drive-by Compromise

APT35 has used drive-by compromise techniques in its campaigns against Israel’s transportation, logistics, and technology sectors. The group has strategically manipulated legitimate websites to divert visitors to attacker-managed sites designed to phish for personal information and credentials. Once collected, this data is transmitted to a predefined domain for use in subsequent attacks. Recommended protective strategies include:

Ensure that all web applications are up to date with the latest security patches to minimize vulnerabilities that could be exploited in drive-by compromise attacks.
Use web filtering solutions to block known malicious sites and monitor web traffic for unusual redirections or attempts to access phishing sites.
Regularly educate employees about the risks of drive-by compromises and train them to recognize phishing attempts, emphasizing the importance of not entering personal information or credentials on unfamiliar websites.

T1595: Active Scanning: Vulnerability Scanning

APT35 has conducted extensive scans to pinpoint public systems susceptible to specific vulnerabilities, including CVE-2021-44228 in Log4j, the ProxyShell set of vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in on-premises Microsoft Exchange Servers, and CVE-2018-13379 in Fortinet FortiOS Secure Sockets Layer (SSL) VPNs. Organizations should consider:

Ensuring that all web applications, especially critical software such as VPNs, are up to date with the latest security patches to minimize vulnerabilities that could be exploited by threat actors using active scanning techniques.
Dividing network resources into segments to reduce the attack surface and closely monitoring traffic for unusual patterns that could indicate a scanning attempt or exploitation.
Applying strict access controls and authentication measures to all users and devices, limiting the potential impact of exploited vulnerabilities.

CyberAv3ngers

Active since 2020, CyberAv3ngers (aka CyberAveng3rs and Cyber Avengers) has been linked with the IRGC. CyberAv3ngers is a politically motivated group that primarily targets industrial control systems, OT, or critical infrastructure using programmable logic controllers (PLCs) and human machine interfaces (HMI) connected to the internet. On November 22, 2023, CyberAv3ngers carried out a successful cyber attack on multiple water and wastewater facilities in the US that were employing PLCs with HMIs built in Israel. The group likely gained access by exploiting internet-connected devices that were protected by default passwords. Public information on CyberAv3ngers’ TTPs is limited, but security researchers have highlighted its distinctive use of brute-force techniques.

T1110: Brute Force

Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. In the case of the CyberAv3ngers attack on water and wastewater facilities in the US, the attackers employed scanning tools to pinpoint accessible internet-connected devices. Subsequently, they gained entry by utilizing the default PLC credentials, which are often readily available in OT manuals available online. To protect against brute-force techniques, organizations should:

Immediately update default usernames and passwords for all OT devices to unique, strong credentials to prevent unauthorized access.
Implement routine scanning of networked devices to identify and secure internet-facing devices that may be vulnerable to unauthorized access.
Enhance network security measures by employing firewalls, VPNs, and network segmentation to limit the exposure of critical OT devices to the internet

Israeli Threats

The full extent of Israel’s cyber offensive capabilities is largely speculative: Cybersecurity research and intelligence analysis has hypothesized about Israel’s cyber activities, but the Israeli government does not admit to engaging in offensive cyber operations through affiliated entities. This approach helps to keep cyber warfare tactics confidential, minimize diplomatic fallout, and maintain plausible deniability in the international arena. Hypothetically, Israeli cyber initiatives targeting Iran would be motivated by a desire to thwart Iran’s nuclear plans, collect vital intelligence, and bolster national security through the proactive neutralization of threats. Thereby, in targeting Iran, Israeli cyber groups might focus on critical sectors, such as defense and nuclear research, alongside communication and financial systems. Such attacks would aim to strategically weaken Iran’s capabilities and apply economic strain.

Organizations should remain vigilant about the potential repercussions of Israeli cyber activities against Iranian interests. Such actions could provoke retaliatory cyber attacks from Iranian actors, not only against Israeli entities but also against international businesses perceived to have business ties with Israeli companies. These tit-for-tat attacks could expose these organizations to data breaches, operational disruptions, and compromise of sensitive information. Understanding this dynamic is vital for businesses to prepare and strengthen their cybersecurity defenses, anticipating the broader implications of geopolitical tensions manifesting in the cyber realm. This awareness is especially important for entities with ties to Israel, as they may inadvertently become targets in the escalating cyber conflict between these nations.

In light of these conditions, the following section of the report covers a prominent Israel-linked group that has focused on targeting Iranian critical infrastructure.
Predatory Sparrow

Active since 2021, Predatory Sparrow (aka Gonjeshke Darande) has claimed responsibility for cyber attacks on Iranian industrial plants and critical infrastructure. In 2021, the group disrupted Iran’s nationwide network of 4,300 gas stations by disabling the system for purchasing fuel with government-issued subsidy cards. The following year, they escalated their activities by targeting three state-owned industrial steel factories, hijacking control systems to cause equipment malfunctions and molten steel spills, resulting in significant fire damage. Continuing their offensive into 2023, Predatory Sparrow claimed to have incapacitated 70 percent of Iranian gas station infrastructure, severely hampering the country’s fuel distribution capabilities.

Although Predatory Sparrow’s cyber attacks have garnered significant attention, the reluctance of Iran to disclose details related to assaults on its critical infrastructure has led to a lack of information regarding the group’s specific TTPs. Nevertheless, insights from the ReliaQuest Threat Research Team, particularly their analyses on the targeting of Operational Technology (OT) systems by Chinese Advanced Persistent Threat (APT) groups, allow us to infer the likely TTPs employed by entities akin to Predatory Sparrow in their operations against such targets. This knowledge base provides a foundational understanding of the operational methodologies potentially utilized by Predatory Sparrow in its cyber campaigns.

T1021.001: Remote Services: Remote Desktop Protocol

Adversaries may use valid accounts to log in to a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Threat actors such as Predatory Sparrow can use this technique to move laterally to the domain controller (DC) via an interactive RDP session using a compromised account with domain administrator privileges. Combat this threat by:

Disabling remote interactive logon of service accounts to prevent them from being used for RDP.
Configuring and enabling MFA for RDP sessions, helping to prevent lateral RDP and RDP brute-forcing.
Adhering to the principle of least privilege and minimizing RDP to only the required accounts. Configure access to critical assets that require RDP to use designated jump boxes, allowing tighter access control and improved auditing.

T1190: Exploit Public-Facing Application

Through this approach, attackers aim to leverage vulnerabilities in external-facing systems or devices to gain initial entry into a network. These vulnerabilities could stem from software bugs, temporary system faults, or configuration errors. Specifically, adversaries often target edge network devices and infrastructure components lacking strong host-based protections. APT groups frequently exploit flaws in networking appliances, including manufacturers like Fortinet, Ivanti, NETGEAR, Citrix, and Cisco, to infiltrate networks. To protect against these types of attacks, organizations can:

Utilize security tools, such as a web application firewall (WAF), to protect public-facing applications and provide logging visibility into access and requests to and from the application.
Properly segment all public-facing applications from the intranet to minimize risk of exploitation compromising sensitive infrastructure.
Adhere to a robust and frequent vulnerability assessment and patching cycle for all public-facing appliances. In case of a zero-day exploitation of a vulnerability, develop and maintain an emergency patch and mitigation plan.

T1105: Ingress Tool Transfer

This TTP allows attackers to import tools or files from an external source into a breached network. They might transfer these assets from a system they control to the target network either via the command-and-control (C2) channel or using other protocols like file transfer protocol (FTP). Once these tools or files are within the compromised environment, attackers can further distribute them across multiple devices within that network. For example, in the 2015 attack on Ukraine’s electric power facilities, the Sandworm Team, a Russian APT group, deployed additional malicious software onto already compromised systems to exfiltrate credentials, facilitate lateral movement, and ultimately destroy data. To defend against such tactics, organizations can implement the following processes.

Utilize application control solutions to help prevent threat actors from evading defenses. This can be achieved by using less-common methods of resource retrieval, such as via “certutil.”
Maintain an up-to-date block list of known hosting sites and actively monitor outbound request attempts through your forward proxy.
If an endpoint detection and response (EDR) solution is not available, leverage Sysmon Event ID 3 to log and monitor process executions generating network connections.

Threat Forecast

In the short to medium term, Israeli linked groups, motivated by a need to thwart Iran’s influence and nuclear prospects, will likely seek to continue cyber espionage and disruption efforts. Furthermore, the use of cyber mercenaries or loosely affiliated hacktivist groups such as Predatory Sparrow introduce further unpredictable elements into the conflict, making attribution and response more challenging. Similarly, Iranian APT and hacktivist groups are poised to intensify their cyber campaigns against Israeli interests, employing tactics aimed at espionage, sabotage, and propaganda spread. As both nations continue to invest heavily in cyber defense and offensive capabilities, the potential for a significant cyber incident remains elevated.

Given these conditions, it is important for organizations, especially those with business interests the affected nations, to keep abreast of developments. Staying informed about geopolitical shifts and related cyber threats is key to customizing security measures effectively. Enhancing their cybersecurity posture will enable organizations to protect their assets and maintain operational continuity amidst regional instability.
What ReliaQuest Is Doing

The ReliaQuest Threat Research team is committed to monitoring these threat groups, continuously refining our detection capabilities and hunting methodologies to identify and alert our customers about significant TTPs utilized by adversaries like the groups mentioned in this report. For instance, our threat hunting team actively monitors our customers’ public-facing infrastructure for exposed and susceptible services (such as RDP) that are commonly abused by threat actors looking to gain initial access.

In addition to creating specific detection rules for each of the TTPs mentioned, ReliaQuest also provides intelligence updates and detailed threat profiles through the GreyMatter Intelligence content library, covering aspects like TTPs, indicators of compromise (IoCs), tools, and information on specific attacks and campaigns. The ReliaQuest threat intelligence team also regularly incorporates high-fidelity IoCs into our threat intelligence feeds to enhance detection capabilities.

Unpack Our Findings on the Past Year’s Key Cyber-Threat Trends and Tactics

Dive into the ReliaQuest Threat Research Team’s comprehensive overview of last year’s cyber threats through our Annual Cyber-Threat Report. This report provides strategic recommendations to help safeguard your organization against evolving cyber threats.