[Webinar Transcription] Iran: A Top Tier Threat Actor

January 30, 2024

Or, watch on YouTube

Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China and Russia will continue to strengthen its cyber capabilities, but also its general position in world conflict, including its efforts in hybrid warfare. These are already witnessed in Ukraine, Belarus, Israel, Syria, Yemen, and other high-conflict areas.

In this webinar, we covered:

  • Evolution of the Iranian cyber program and it’s current state
  • Iranian state sponsored activities
  • Cybercrime activities that occur on the dark web and adjacent platforms
  • Geopolitical events and relationships that influence Iranian cyber actors
  • Why Iran needs to be taken seriously as a digital threat

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.


Steph: Welcome to everybody and thank you all for joining. I am a 20 year Iran follower, I speak Farsi, I am former military and former Department of Defense, and Iran and Afghanistan has been my target area for the past two decades, if not more. I am thrilled to speak about them today. I’m always thrilled to speak about them. I’ve done this talk publicly for probably five years and there’s always so much to learn. There’s always something new to cover and track, and I’m really excited to do this for you today, so let’s dive in with that.

So let’s address the elephant in the room, which is Iran’s physical activities and proxy activities all over the Middle East. The point of today, especially because we have limited time, is their cyber program. Past, present and future – is how I like to organize it. But we cannot go without addressing, especially after last night’s drone attack, the obvious physical attacks and the incidents and the tension that is definitely increasing day to day on the ground. I wanted to give this audience some way to empower all of you to research and take a look at yourselves, because I have followed more of the cyber activity versus the physical and the Iranian military. So please, I invite you to familiarize yourself. Go to Centcom directly – centcom.mil has a ton of wonderful blogs. Their analysts are top notch. Get the information from there yourself. Centcom Central Command, located in Tampa, Florida, controls the entire US military activity in all of the Middle East, Iran and everything surfacing. All of the borders, all of the bases. Anything that’s of interest, you will get your answers from there.

The other two sources I’d really love to highlight for you are think tanks and just wonderful CTI research firms. Overall, Atlantic Council has an amazing, amazing body of literature on all of Iran to include present day conflict and Sibylline, a UK firm is also absolutely amazing. So lots of attacks going on. We are going to show and demonstrate how the cyber gets into the physical attacks and how this lends itself to working together, as well as an emerging trend which is hybrid attacks. That is where, you know, maybe Iran has something going on, maybe they’re conducting a DDoS or ransomware attack or any kind of online activity to distract people in one corner and then in another area of the world, let’s say, you know, there’s a drone attack on a supply chain and along the border of Lebanon and Syria, or there’s a physical incident against a US base in Iraq or anywhere else in the region, right, Bahrain or anywhere else. So please do take the time, if you are interested, to look at these sources that really focus on physical contact.

And with that, let’s get into the cyber of Iran. I like to do a timeline. For the past 20 years, Iran has always been kind of floating in the background. A lot of people attribute Russia to being more sophisticated and our major adversary in cyber. A lot of people look to China, who’s also incredibly sophisticated and very powerful as a Western adversary. Iran is not to be discounted. And I think that, unfortunately, this current conflict in the Middle East is probably showing just how strong they are.

I’d like to go back to 2009, which is when the major Iranian cyber activity started in the way that the outside world could observe it. Right? Iran is a lockdown isolated country. They fault the West for that. Prior to 2009, they had cyber entities. They were doing defacements, they were doing hacking, hacktivism, just putting political messages. But it wasn’t anything sophisticated. Cut to the internal Green Revolution, which is where the Iranian population stood up and one of the first times they really tried to go against the Ayatollahs and the regime to change it, as we all know, the authoritarian theocracy that Iran is absolutely will not tolerate that. So the Ayatollahs and the government and the IRGC and the MO

MOIS, which we will also get into, started monitoring their population with their own apps, their own GPS, all of the cyber and technical tools that kind of reveal locations today. The Green Revolution brought that about internally.

I likely don’t have to tell anybody on this webinar about the 2010 Stuxnet response. When Iran understood that their nuclear program had been compromised, they understood that they needed a wide, wide, wide defense to protect their internal infrastructure networks and etc.. So the Stuxnet response really prompted them to have an offensive and defensive cyber capability. And if you go from 2012 up to right now, 2024, look at these activities that they’ve all done, right. Posing as LinkedIn researchers, they’ve had several successful ransomware campaigns, espionage and IP theft is a very constant activity for Iran as well. Election interference, not just the US. They’ve also meddled in European ones in 2020. This is every threat actor, right? As the pandemic raged and everybody worked from home or remote, VPN exploitation and spreading malware was of course, extremely common and rampant. Iran participated in targeting industrial control systems. I’m sure that you’ve seen if you follow cyber or any Iranian news, they go after the PLCs, programable logic controllers. They are going after anything SCADA ICS any fear of disruption to the daily life that the Western world takes for granted.

I can’t highlight this enough, and you’ll see it in this presentation that Iran really wants to disrupt water supplies, power supplies, banking, the financial systems, because they know that fear is a powerful motivator. They also know that they can’t physically do these things. It’s much more difficult. Restricted travel – Iranians are not welcome in a lot of places in the world, so they go after it digitally, and that’s one way that they can definitely get to the psyche of American and European politicians, leaders, government. Then let’s go to, of course, more cyber espionage. Muddy water was extremely active in 2022, and in 23 and 24 we saw front company involvements, which we’re going to get into detail. Of course, the Ukraine and Mena conflict. Iran has personnel on the ground in Belarus. They’ve conducted disruptive cyber attacks on behalf of Russia, targeting anyone who’s sympathetic or encouraging to Ukraine. And 2024, we are just about a month in. We have global conflicts everywhere, right? We have the latest in the Middle East. We have global elections. A lot, a lot of countries are going to the polls this year, and Iran is one of those countries. So they have domestic elections guaranteed that they will continue spying on their population. The Iranian president is a placeholder, not an actual person of power. So I highlight all of this to say that in, you know, 12, 15 years, Iran has strongly emerged, bettered and improved and made some really key allies such as Russia and China, to only better and improve their technology and their cyber programs. It’s very important to realize that.

What are their motivations? Why are they doing this? First and foremost? Again, I’ve mentioned that Iran is isolated. They want to become a recognized global power. They feel that teaming up with Russia and China will do that, because they fault the West, Europe and the United States for having isolated them since 1979 sanctions, keeping them out of important world meetings and world organizations. They’re extremely bitter about the isolation that they faced. Revenge for Qassem Soleimani is still a tagline. While experts tried to claim that part of the October 7th, 2023 attack was for Qassem Soleimani, Iran put that message out. That has been disputed. But all of their other actions in cyberspace, as well as physically, they’re extremely upset about Soleimani espionage.

Iran cannot partake in normal business operations due to the aforementioned sanctions. So how do they get their information? They take a page from China’s book and conduct IP theft, espionage, get all of the information, whether that’s to improve their age, fleet of weapons, planes, cars, anything, you name it. They just want to take all of the information and better themselves. And this new this last one is kind of a newly emerging one that they’ve publicly spoke about eradicating Western influence throughout the Middle East, creating that new world order. They’ve wanted this for a long time. But now that tensions with China and the US are increasing as well as globally with Russia now, they really feel that this is the time to move forward, use their cyber, use their strength to eradicate the Western influence. They’re going to start in the Middle East and try to keep going, to keep expanding.

The cyber bodies of Iran, their organization, it’s really not that different from anything you might be familiar with.

They, of course have a civilian and a military component. The MOIS is their civilian component. It’s the Ministry of Intelligence. These are the civilians that have long standing careers working for the Iranian government. And then the IRGC is the Iranian Revolutionary Guard Corps. The besieged special forces are subordinate to the IRGC, as is the Iran Cyber Army. And I also have some university GIS that are down below. So Iran has mandatory conscription. You can fulfill that mandatory 18 months to two years as a cyber actor. You don’t have to do anything physical. You don’t have to do infantry or artillery or anything like that. You can truly go through any of the controlled universities which are listed below, and learn and get your initial skills fulfilling your conscription. And then you can do a couple of things. You can stay in the IRGC, you can serve there. You can transfer over to the MOIS and go from a military personnel to a civilian. The important thing is, and what Iran wants to do is control all of their cyber power and their cyber training and their curriculum to keep that talent. Those people that they train internal too often they’ve seen in the past, especially even sons and daughters of government officials, will go to Western universities in Europe or in the United States and then choose to not come back to Iran. Iran has made a concentrated effort, the MOIS and the IRGC to keep that cyber talent within the country because they know how absolutely essential it is, not only right now, but for their future.

So let’s get into a little bit more of the MOIS versus the IRGC. It is extremely important to note this for the concept of attribution in cyber. I personally, as a researcher of 20 years and having been military and government and now fully private civilian, as well as doing a couple of years at a think tank in academia, I do not believe there is anyone that should be doing attribution in cyber unless it’s a government, European, American or anything. There are too many obfuscation tactics. There are too many ways to hide actual parties, hands on the keyboard. Can you say that traffic comes from Iran? Can you say that it’s definitely linked to a pattern of Iranian influence? Can you evaluate source code of Iranian tools and malware? Absolutely. Can you determine who is doing it? I, MOIS versus IRGC, know why they have a long standing competition and hierarchy. So both of these bodies are very cyber capable, have active, active campaigns going on right now. The MOIS is thought to be a little bit more sophisticated because of the lifelong training and techniques and polishing of their employees. They’re very, very good. They’re very sophisticated. They’re very well trained. The IRGC is thought to be a little bit more sloppy. They have accidentally left hallmarks of Iranian work in their source code and they’ve left artifacts open. This is different from when they want that to happen. There are times that Iran, both the IRGC and the MOIS, purposefully leaves comments and source code. They will taunt Saudi Arabia, they will taunt companies and say, you know how we’ve infiltrated your systems. But the IRGC has also made multiple mistakes and did not intend to reveal that they were behind it. And so you have to consider that as well.

Another active competition that goes on for them right now, not just in cyber but worldwide. So the MOIS only recently came to be the favored organization when the Ayatollahs took over in 79 and all throughout the 80s. Do you see? Iran is an authoritarian theocratic state. The military controls everything citizens activities, online activities. So the IRGC was favored and was always sought after for online cyber operations. In 2009, Rouhani came to power as the Iranian president and for whatever reason, changed and started to favor the MOIS and use them for operations, consult with them, use them for intelligence and especially a cyber program. So right now, the MOIS remains in favor from 2009. And what that means and what I have seen over and over, and anybody in the community has, is they will pit and intimidate one another. So the MOIS might say, I don’t know who that activity was. It wasn’t us. You should probably talk to the IRGC and vice versa, right? So they pit one another against each other. They try to cover their tracks by framing one another. There absolutely have been operations hands on the keyboard, where it’s MOIS actors who pose as IRGC actors and impersonate and again, vice versa. So it’s important to recognize that, yes, we can track activity coming from Iran, we can track VPNs and all of the obvious obfuscation techniques, but I don’t think we can get as granular as saying this is an MOIS officer versus an IRGC, especially with all the tools that cyber has.

So just keeping that in mind moving forward, as you evaluate campaigns and malicious activity, it’s incredibly important to note the MOIS and IRGC rivalry impersonation and how they move forward, especially in digital operations.

We’ll get into the APTs and cover them quickly, so APTs have been around for a long time. It’s advanced persistent threat. These are generally actors who are financed, sponsored and supported by a government. These are fully government attributed actors. Iran has right now 32 active APT groups, of course, with varying levels of sophistication and skill. So we will cover them. But I think it’s too important, especially right now. And we’re going to see why with front companies, with ransomware and with cybercrime. And that is what DarkOwl specializes in. You have to look at the other groups. It’s no longer only apts out there, public acting and attacking, right and APT actors, as well as governments of our adversaries have caught on to, oh, I can blur activities or I can, you know, have plausible cover if I use a cybercriminal group or if I employ somebody or pay them to do that. So APT is still very active.

APT is absolutely on the dark web, absolutely using Telegram. But they’re not the only force to be reckoned with. And I think that’s an important change as we move forward, especially as global conflicts erupt and people take sides, criminal actors are going to come more into play. Really important to note. So 33 and 34 I want to highlight, you know, they have their own malware. They have their own ttps for APT 34 is thought to be more sophisticated technically, while 33 and 35, as you’ll see, are more of the social engineering. So APT 33 is going to impersonate people – reach out as a researcher, a journalist, an academic, send invites for conferences or for paperwork, and use social engineering to get information or espionage. Whereas APT 34 and some of the other more well known Iranian groups, custom malware that they improve upon test in the Middle East and then use elsewhere. Why? I’ve highlighted Mimikatz for all of these, and this is a good opportunity to go to the next one.

APT 35 and 39. You will also see Mimikatz still highlighted. Credentials and data are everything right? That is what we see on the dark web. Selling credentials, selling passwords, hashes, emails with accompanying data or solo. Iran uses Mimikatz in almost every single operation, and that’s APT as well as cybercriminals. And this is really important to note, because the hallmark of cyber actors is, you know, they can do bad with good things. So Mimikatz is an open source tool that you can just get and use, which they do in their operations. It’s similar with GitHub. Everybody uses GitHub, keeps their repositories there. And malicious actors have pivoted to trying to crack GitHub and take open source tools there and improve and use for malicious purposes. So Mimikatz has been a constant on the APTs for Iran for over 15 years, and we’re seeing a lot of credential use and theft by Iranian cyber criminals. We’re seeing the chatter, the sales on telegram, we’re seeing them talk to one another.

So this is just another line blurring between cyber criminals and Iranian state sponsored, government sponsored actors. And I think that’s really important to note. In addition to custom malware, custom backdoors, and all of the other ways that they go after anyone or anything online, there are some other groups as well. Of course, anyone following Iran knows that the the kittens is what they’re called rampant kitten, pioneer kitten, and static. I’ve highlighted them because they are some of the most active and more recently active. At once, so these are important to note. In addition to the apts of the 30 series, for instance Rampant Kitten, I would like to highlight that they actually breached Keepass, the password keeper a two years ago. So it’s just important to note that that was a sophisticated impact. A lot of a lot of change came after they hit Keepass. They’re talking about all of this online as well. Sharing https in telegram, sharing how they get in, what’s the best VPN to use to do their operations? They often share that information among the Apts and the cybercriminals. And it’s also important to note that Iran is very active in ransomware, which we will get into later as well. Go into more detail. I’m going to pause there because that kind of completes the apt part of it.

Okay, let’s talk about malware. For the more technically sophisticated in this audience, Iran is is very talented with creating their own custom malware and using them in operations. I have highlighted some of the older ones because it’s important to note their evolution and the overlap and source code. So we go back to Shamoon. Shamoon was was very, very prevalent, especially after Stuxnet. Iran really came onto the scene with Shamoon hardcore. My observations of 20 years is and this was true with Shamoon, both versions one and two. And this was also true with Zerocleare. Iran uses countries like Saudi Arabia and Bahrain almost as a testing ground. Shamoon went very, very heavily into the Saudi Aramco systems in the years that it was active. Then Shamoon two did the same thing. You’ll see, Saudi Arabia was a repeat victim. Shamoon two was, of course, updated from its first version, namely that there were no pre-programed credentials needed to operate. Shamoon two. That’s just an interesting thing to note, because I just talked about Mimikatz and how Iran does rely on credentials so much, but they evolve the second version of their malware to actually not use credentials. Again, just demonstrating a change in TTPs and that they are able to work both ways. Zerocleare has a lot of resemblance to Shamoon. If you look at the source code, again, lots of overlap, very, very clear. But it is a separate malware. And I do invite you to please use VirusTotal, AlienVault, Shodan any of your online tools that you choose Misp. You know, please go and look these up and look for yourself if you have those capabilities. Iran does offer sophisticated malware and still uses them after they test in places like Saudi Arabia as well as Bahrain, and they fix what they need to fix or tweak anything that they feel enables better operations, they then expand and use this malware in their campaigns in Europe, North and South America or in Asia. So important to note that they keep track of their malware, use it internally. And by internally I mean within the Middle East region, Saudi is a favorite. And then they go bigger, they go harder and they go to external telecom.

SCADA again, all of those companies that they want to use, they go external after they’ve tested it inside the Middle East region. The 2024 update for malware, oil check and Oil Booster have evolved and are using cloud providers for their command and control their C2, as well as some email based C2 abilities. And that’s using Microsoft, which I think is very important to highlight. We need to be aware of this malware in 2024, especially with all of the elections that I mentioned. And this is being used by APT 34 as well. But there are samples of both oil check and oil booster in the wild that have been used by non Iranian government cyber groups. So definitely confirm that this malware is in use and we need to keep an eye on it. As 2024 progresses, both elections, the global conflicts, targeting everything, everything and anything that is going on this year with malware and especially what new malware will they create. Because it’s very early in this year, will we see maybe hallmarks of a Juiceman 2.0? Will new malware surface? It’s important to be aware of what they’re currently using, the cloud and email based providers, versus what they have in the past, so that we can measure what they’re going to look like this year moving forward.

Where is Iran going to go? We are now in the present day of this slide. So terrorism and fringe group operations, I do not need to tell anybody on this audience that Hezbollah, Hamas, and, you know, everything going on in the Middle East, they are very clearly being supported by Iran. Again, this has been a pattern for two decades. The only difference now is that more and more people are paying attention, and it is more public. We can trace the blockchain for cryptocurrency transactions that are conducted by Hamas or Hezbollah or Houthi officials or actors, notable partnerships. I always talked about and highlighted how that new axis of evil on the digital realm was coming to play. So Iran and China had signed a 25 year agreement for cooperation. In the first two years, there was no actual tangible activity. It seemed just like a lot of news conferences and opportunities that has since changed. Um, China is helping Iran with some oil production. They are giving them some improvement in flight technologies to improve their aviation. There is now some more tangible results that we’re seeing come from the China and Iran Partnership, Russia and Iran. I want to note that it’s difficult to monitor their communications. While there are plenty of Russians and Chinese and Iranian actors and officials open and speaking on telegram and dark web forums, there’s obviously a part that the open world is missing.

We saw that with the Hamas attack on October 7th, they are using more old school technology, phone calls, in-person meetings, to keep hard core operations that are very sensitive underground and prevent them from being discovered. This is true in the digital realm as well. Russia and Iran and China also all have their own equivalents of, say, Facebook, Twitter and messaging platforms. All of their governments have created their very own applications and tried to draw their citizens to using those for a multitude of reasons. One it is government protection, right? If you’re Russia, Iran or China and have plans, you don’t want those leaking out because somebody has an ego on telegram or somebody is using WhatsApp and sharing it, right. And second, it’s just easier to monitor your own citizens if you have your own applications as well. Right? So it’s a it’s a win win for them. They monitor their own citizens. They keep their own information close hold. And again we’re seeing more and more of this. So it’s a balance between observing public information on messaging apps such as telegram and WhatsApp. Discerning what’s true. You know, is this real? Is this a false flag operation? And then we also have to talk about cryptocurrency and crypto mining, which leads to front companies, which we will get into because this is very important. So Hamas and Hezbollah and the Houthis all have cryptocurrency. There’s an underground infrastructure of it. It’s not just, uh, cyber operations that fuel their cryptocurrency profits. It’s selling drugs, it’s selling weapons. It’s human trafficking. All of these activities that happen in the physical world are then converted to using cryptocurrency again for obfuscation, for privacy.

It’s important to note that Iran used Bitcoin in their older operations. I would say anywhere between 2010 and 2016 or 17. And then they made a market change and decided that their cyber actors, and they have openly talked about this on telegram and other internal Iranian apps. Iran feels that Bitcoin is no longer safe. They feel that there are too many law enforcement and global policing officials using Bitcoin. So Iran has changed to light cash, Zcash and a couple of other lower popularity cryptocurrencies believing that they’re safer. This means that Russia and China also kind of use those as well. When doing business with Iran. Again, we’re hiding communications, we’re hiding funding, we’re hiding money. So it’s important to just note how this works as an overall infrastructure empowering these actors.

Let’s talk about the big three. Hezbollah, Houthis and Hamas, supported by Iran again, have been for two decades, mainly Hezbollah. I mean, Iran basically created them. Iran has trained, empowered them, financed them, given weapons, given time, given everything. Open, secret, actually just open. Not a secret. The Houthis as well. I’ve seen Iran also support the Houthis, especially when they took over Yemen. Iran has lent the how to control your population and how to control what the outside world sees using social media and distributing propaganda. Right? Iranian government controls everything in the country. So do the Houthis in Yemen. So there are definitely playbooks overlapping there, using social media to spread the message of success in every conflict of their capabilities, of how their drones are taking out. You know, last night’s unfortunate incident was was three US soldiers, Kia. And they might inflate these numbers when it doesn’t make news just to keep their populations supporting them. You know, instead of three members, Iranian or Houthi, Hamas, Hezbollah propaganda might say, we killed eight, we killed ten, we killed 20 right there. Very, very good at inflating numbers and statistics and always have been. So it’s really important to note that even when these groups are blocked from Facebook or their Instagram and TikTok accounts are deactivated, a couple things happen. One, they move platforms. They’re going to go to Q talks chat, right. Because if they’re doing digital operations, talks is viewed still as safe and more private. They’re going to go to telegram because an openly Iran has stated that they would rather the Russian government understand and see what the Iranians are doing versus the US government. Telegram is a Russian platform. This is why they feel that it’s safer to use being that Russia is an ally of Iran. So just because they’re banned and and removed from the major social media platforms, it doesn’t stop them. They just change. I think that’s really important to talk about. They plan or discuss, you know, the outcomes and the positive of operations on their to keep people encouraged for recruitment efforts to grow the forces. They put out false stats to keep their population contained and say that they’re winning. And, you know, again, these things can be harder to monitor. Direct messages on telegram. Direct messages on WhatsApp. They’re not as easy to intercept. You can’t see them. And so there is a gap there for cyber officials and for a lot of other entities. And so they use those to bolster their operations, bolster their supplies, and just put out what they feel they need to put out, paint the picture, take over the narrative using social media and continuing with propaganda. I mentioned telegram because and I want to show more. I am a Farsi speaker. I am not an Arabic speaker. There are tons of Arabic language channels. You can see them. But what I did was just take some an example.

Small example of some of the Hezbollah, Houthi and Hamas telegram channels that have emerged since this conflict. This was true in Russia as well. I think that telegram really came on the map with the Russia and Ukraine conflict, and it is still there, and Russia is leading the way using telegram, whether it’s false information, real information, selling data, selling malware every malicious actor and again apt. I stand by in cyber criminals. They’re on telegram in addition to other platforms. It is incredible how much information that some of these actors will reveal once you fact check something and say, oh, this, this actually checks out. So they are sharing information again. They recruit, they are discussing the outcome of physical and cyber operations. They’re fundraising. We are unfortunately seeing them pose as you know, charities who are supporting charities who are supporting Ukraine, charities who are supporting Palestinians or Israelis. Right. They are making up that they are affiliated with a charity soliciting donations in cryptocurrency and using that platform to expand operations. Of course, that money goes directly to their war and physical attack efforts. They are not actually charities. There are all kinds of ways that they take advantage of of populations on telegram as well as other messaging platforms. Really important to note that they’re going to continue to use these in their operations as they move forward, not just go, not just the global conflict and the actual physical wars. But this is a very, very ingrained part of all of their operations infiltrating think tanks, academia, attempted government infiltration. Right. You can pose as anybody online, and it’s harder to validate on platforms like telegram and some of the other ones that they’ve moved to. So it is incredibly crucial to continue to monitor this, monitor the talking and see how this shapes up as these conflicts continue and as anybody can pose as anyone else online.

Something to really think about and really keep in mind as you research and as you form your opinions and form your interest in cyber. I’d like to talk about front companies too. This is absolutely essential.

So Iran has perfected the front company game, establishing something as a legitimate entity, registering it, making an LLC, filling out the business paperwork, you name it. They have really, really perfected their game with this. One of the earlier, um, examples of this was the Magnet Institute. This was a 2018 event. It was about nine people that were active, and Mapna was supposedly a think tank, an Iranian think tank that was anti the government of Iran wanted to work with the Western world, wanted to be linked with them. And what they were actually doing was intellectual property theft from over 200 US and European and Australian universities. So very successful. We’re talking terabytes of information stolen. Again, all of this information was used for weapons improvement, technology improvement, updating their fleet of airplanes.

Rana is another one. Rana is on the right screen here. This was APT 39. It was linked to them. So that’s really interesting. And this was just another campaign that targeted Iranian dissidents, that targeted journalists internationally. And just a bunch of companies worldwide who were anti the Iranian government. So they posed as tech professionals, pose as journalists and got in and got a lot of information about entities that were anti the Iranian government before it was tied to the Iranian government itself, which was clearly using this information to take out dissidents, suppress dissent and not allow the opinion of being anti-iran anti the ayatollahs to go any more public than it had to be.

This is the latest one. Our company, DarkOwl did it did a write up on the front companies clouds surfaced in 2023 and I want to shout out Halcyon. I have to recognize them for they’re calling this out. Halcyon broke the news that Cloudzy was masquerading as a as a network hosting company in New York, and in reality, it was headquartered in Tehran and run by 6 or 7 different Iranians who had created fake biographies, a completely fake everything on Iranian internet, on the Iranian media, which then spread to the US media.

This is their actual page, which is still very live up and running. I checked it as of yesterday. Cloudzy did not respond to takedown requests, and not only was clouds supporting the ransomware operations of all of our adversaries the big four China, Iran, North Korea and Russia, but we had Vietnamese actors, Indian actors, cyber criminal conglomerates. This infrastructure was being abused for years by all of the malicious actors. And again, it’s still up and running. And even after the Halcyon Report, Cloudzy issued no statements. You can see that they have a blog section up top called the issued nothing they didn’t write about. They didn’t refute any claims. They just kind of continued on with business as usual since the news broke in August of 2023. Interestingly enough, “the executives”, I say in air quotes, of Cloudzy and their their biographies, they were taken down and their LinkedIn pages changed. Iran loves to abuse LinkedIn, which we’re going to get into as well. But this is just yet another front company that was facilitating bad actors and ignoring requests, ignoring abuse, and is still functioning. So it’s very, very interesting that this continues. And Iran is not alone in this. Russia does it, China does it. A lot of adversaries do it. But Iran has definitely had some very, very successful varying operations. IP theft to hosting ransomware. Extremely interesting. And it’s the full spectrum of operations.

Iran is a heavy ransomware actor. So you’re going to see at the at the end of this webinar, we do have a deeper one coming up on the big four actors that’s going to be in March of this year, and we’re going to go more in depth on Iran in their current ransomware operations, but highlighting how powerful Iran is and how they use telegram, as well as the dark web for their ops. Iran has a history of ransomware, and we do not expect that to stop. Samsam was one of their biggest campaigns. The actors made $6 million, which is no small feat in the Iranian economy. Dharma was another Iranian ransomware activated one. It was unsophisticated. You can see that again using those OSINT tools, right? Those open source tools that anybody can procure and use. And it was delivered via RDP. Again, very typical delivery operation delivery mechanism. And then BitLocker was 2020 to 2022. BitLocker is Decryptor Key has been released. I do not believe they are still active, but we’re going to see what Iran does with ransomware this year. Again, I think if I had to to hazard a guess right now, their ransomware operations are not as active because they are so involved with global conflicts, again, posing as journalists or aid workers for Palestine, Israel, Ukraine, trying to get information that relates to global conflicts, as well as managing the proxy events in Syria, Lebanon, etc.. But I do expect as this year proceeds and as really important, crucial global elections happen, we are going to see a lot more Iranian ransomware campaigns as well as their custom malware. So look forward to that in March when we have our next deep dive on the big four actors.

It is essential to talk about cryptocurrency as well anywhere in cyber right now. So Iran is a big crypto user in a country where the economy is essentially ground level, right? It’s been terrible for years. A lot of poverty. The only people who are profiting are, of course, those higher up in the government, Iranians who could circumvent the Iranian government’s internet controls have turned to cryptocurrency. You can make money with it. You can start a side hustle and it’s harder for them to track. So cryptocurrency is extremely popular in Iran and always has been. In 2019, the Iranian government banned crypto mining, which is also a way that Iran works with China. So crypto mining to be very, very short about it. You need a lot of network power, but you also have to control weather and temperature. For obvious reasons, the Caspian Sea region in Iran is extremely valuable for crypto mining. So China helped Iran set up crypto mining farms in the Caspian Sea region. The public caught on to this because again, it’s a small population. Word travels and they you know, if they’re watching anti-government or if they are anti Iranian government, they want to know what’s going on. So the Iranian government banned crypto mining for personal individuals. Right. You could not have a personal individual conducting crypto mining operations. Then they reverse that ban in July of 2022, implemented a paid license that the personal individual had to get from the Iranian government. So they turned it into moneymaking. So Iranian government’s making money personal individuals, non-government affiliated or crypto mining. China’s helped in this. And voila, we have Iranian crypto. I’ve mentioned that they’ve shied away from Bitcoin, that a lot of them still won’t use it, thinking that internationally it can be traced. And one example of where they’re shifting as well, in the latest conflict between Gaza and and Israel, they are using Tron, which is a decentralized blockchain. It’s a different blockchain, but they’re openly talking about Tron on social media as well as telegram, because it is not as common in the West, and they don’t feel that it has been infiltrated by Interpol, Europol or other Western government officials. I also want to highlight, and this is dark out data we see constantly. So Hezbollah, in addition to laundering money, spreading money around and, you know, using it for weapons and drugs and etc., Hezbollah has also run a very successful counterfeit campaign. You can see an example right there of the $100 bill of the United States. They’ve done it for euros. They’ve done it for other Middle Eastern countries as well. So cryptocurrency is a booming operation not only for the Iranian government, but also for their proxies like Hezbollah, the Houthis and Hamas as well.

That takes me to the end of this. I am very happy to share any IOCs. Everything I’ve talked about today is a is a preview. There’s obviously always more. There’s granular details. Please reach out to [email protected] with any questions or updates. Always happy to share more sources. Always happy to hear of an update that maybe I missed. These I really feel are wonderful sources and references that I refer back to and constantly use and update.


Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.