After the infamous Stuxnet cyberattack on Iranian nuclear centrifuges in 2010, Iran realized the importance of cyber defense and operations, prompting the country to invest and develop its cyber capabilities. Shifting from local censorship to utilizing “phishing and defacing campaigns against commercial enterprises, as well as cyberespionage against military and government data” [1].
Some of Iran’s favorite targets are “aerospace companies, defense contractors, energy and natural resource companies, and telecommunications firms for cyberespionage operations” [2]. However, Iran is very cautious not to push the boundaries of what could be perceived as an act of war and invoke a violent response. Typically, Iran is retaliatory in nature. For example, “after a 2012 malware attack targeting an Iranian oil facility, Iran responded with a cyberattack on Saudi Aramco and Qatari RasGas, using malware to cause irreparable damage to thousands of computers” [1]. The malware in question was called “Shamoon” [4], which “ renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data” [4].
Many of these attacks are executed in part by Iran’s Islamic Revolutionary Guard Corps (IRGC) [2] or one of the many state-sponsored APT actors such as Magic Hound [6]. Utilizing state-sponsored APT actors shifts the responsibility from Iran to independent actors within the country. One example of the use of these actors is the September 2020 Pulse Secure virtual private network (VPN) exploit. Conducted by a group named Pioneer Kitten, or UNC757, the cyber actors conducted reconnaissance using mass-scanning tools like “Nmap, to identify open ports” [3]. Once the ports were identified, vulnerabilities within the VPN were exploited, privileges escalated, and persistence within the systems was maintained. This attack intended to exfiltrate and sell data to “serve the threat actor’s own financial interests” [3].