Protecting People
Protecting People

Episode · 2 months ago

#ThreatDigest: Trends Among Iranian Espionage Threat Actors


APT stands for advanced persistent threat and refers to threat actors who are acting in the interests of other political states.

In other words, espionage.

In this episode of our #ThreatDigest series, hosts Selena Larson and Crista Giering, Senior Threat Intelligence Analysts at Proofpoint, interview Joshua Miller, Senior Threat Researcher at Proofpoint, about the advanced persistent threat landscape in Iran.

Join us as we discuss:

  • Determining whether malware is motivated for finances or for espionage
  • How Iranian threat actors have shifted their strategy since COVID
  • What we can infer about Iranian government priorities from threat actors
  • Why Iranian threat actors are taking more risks
  • Where to start in tracking APTs in the world of cyber threat intelligence 

Check out the resources we mentioned during the podcast:

For more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.

Listening on a desktop & can’t see the links? Just search for Protecting People in your favorite podcast player.

The big four that we track ourChina, Russia, North Korea and Iran. Generally speaking, these campaigns are espionagemotivated. I mean they're trying to identify a sense of information and supportof the spies and they're usually more targeted out specific organizations are specific articles.So you're basically were hunting spies. You're listening to protecting people, a podcastfocused on the human side of cyber security. Each episode you'll hear real world insightsand learn about the latest trends and social engineering. Now we're threat protection, C loud security and more, all from a distinctly people center viewpoint.Let's get into the show. Hello everyone, and welcome to the proof Point ThreatDigest podcast. I'm selling a Larson, senior threat tell just analyst, allthe proof point threat research team here today with my cohost Christa gearing.Hey, everybody, we're back here with our second episode discussing the Iranian advancedpersistent threat landscape with threat researcher Joshua Miller. Josh we are extremely stoked to haveyou here. Welcome, welcome, and before we started I have toask why have you come out of the shadows on twitter? Yeah, Hey, is super excited to be here and glad to talk with you guys.So when I first started in CTI I was working with the FBI, workingfor the FBI, and so when I got on twitter, I went bymy nickname, which was your she and felt that that was a better wayto stay anonymous and, especially working for the FBI, didn't necessarily want tocome out as my true self. And then earlier in two thousand and twentyone, I gave a sands talk at a say CTI to summit and Idid that in true name and it's sort of was the moment like Hey,I'm going from Yoshi to Josh. So I still answer to Yoshi, butI have my full Joshua Miller name on my twitter, which is sort ofweird for me, being from the FBI, is used to having a pretty goodop sack, but sort of opening up a little bit. So,like I mentioned, I've been with proofpoint for about a year and before thatI was on a sea internal CTI team for healthcare and, like I said, started with the FBI and which is sort of where my focus and interestin Rania lined actors started and that I initially started tracking Rani and actors backin two thousand and twelve. So that's sort of my background and how Igot into this space. Great. Will definitely have to link that CTI sawit presentation in the show notes, along with all of the research that we'regoing to be chatting about today. You can definitely find those in the linksthat will be shared and on whatever you're listening to this podcast to on.So all right, Josh, we have talked about apt, advance persistent threat, just the world kind of operating from the same baseline. Can you talkabout what do we mean when we say apt? And on the third researchteam, we're broken up into a couple of different teams, right, sowe have our apt team and then crime where within throat research. For thoseof you who have listened to our previous podcast, we did Chatt a lotabout crimewhere. What do you need, Blackford? And so today we're kindof switching gears here to focus on apt.

So, Josh, can you takeus away on that? Yeah, so when we talk about apt,that what we mean is tracking state aligned thread actor. So individual got guysand girls or people who act in the interests of other states. So thebig four that we track our China, Russia, North Korea and Iran.Generally speaking, these campaigns are espionage motivated, I. Meaning they're trying to identifya sense of information and support of the spies and they're usually more targetedat specific organizations, are specific articles. So you're basically were hunting spies insteadof the Crimeo folks, which are more sort of financially motivated. They seeprolific threats, large volumes of now and malicious urls targeting millions of inboxes aroundthe globe and more sort of more targeted in our focus and sort of morenuanced in that way. And again it goes back to the motivation of isit financially motivated or is it motivated for espionage? And there's some overlap andit's not strictly one or the other, but overall that's sort of how webreak it down here at proofpoint. And you're focused on Iran. What otherState Actors Are we tracking? Yeah, so we track a ton of differentstate actors. We track. My primary job is focusing on Iran as wellas anything they may have a Middle East nexus. So some actors like seaturtle are around, but do have that middle least threaten exus and then wetrack groups like mole rats, which is again in the Middle East. We'rethat with one of my teammates. But we really try to cover a widerange of threats that we see within our telemetry. Very cool. So we'realso in you know, we'll see China, Russia, North Korea and, Ifeel like a run are kind of the big for but beyond that lotsof different factors as well. So very cool. We do see a lotof India and Pakistan threats as well. Cool. Let's dive right in here, right into the heart of running apt focus. After reading some of thoseare running apt blogs we published this year, Josh, it appears have seen kindof a lot more of those instances where they've been favoring kind of along view right over quick campaigns, like, for example, building up or poorwith targets by sending the nine emails and just kind of being more overallconversational right in their campaigns. Can you talk to us a bit more aboutthis and kind of why you think they've headed in that direction? Yeah,totally. I think that, looking at the overall threat landscape we've seen andpublished on both tea, four hundred and thirty three, which is charming kitten, and then tea for forty six was his tortoiseshell. Those are two examplesof running apts that we've seen going more towards the long game and voting upthose relationships before delivering Mawur or credential harvesting campaigns. So one theory and hypothesisthat we have is that the shift to remote work from COVID has made targetsand people's willingness to communicate over email in video calls has increased that. Sofor people who are over in Uron operating or in other countries who may notbe able to typically talk to targets that they may be interested in, itmakes their job of spine easier if they can build that relationship over the Internet, and I think that's really interesting because it prayed. They prey on alot of people's need to feel wanted or feel like they has with the valuableand I think that's a really interesting thing...

...that we haven't seen previously and it'sdefinitely a shift in the landscape versus a campaign that immediately sends out more soyou kind of noted that that shift right was tight to remote work. Haveyou kind of seen anything else that's kind of been linked to this covid youknow, nineteen pandemic remote work era that we're living in at the moment.Yeah, we've seen multiple thread actors used specifically or on you inthrod actors useCovid lurs. So tortoiseshell and a thirty three have both use covid and covidtesting actually as lawyers to get people to sort of open their emails and downloadthe Maur or the credential harvesting that they're sending. And when you talk aboutthese thread actors that are building relationships, one of the things that stroduct meas I was kind of reading through some of this reporting is it's not alwaystalking about their jobs right. Sometimes they're just trying to be friendly and strikeup a conversation and kind of come off as like a little bit more benignand interested in a more social interaction than a sort of professional interaction. Isthat? Is that something that you're that you're saying, Josh? Yeah,so we do see some of that and sort of that crossing over different mediumsand social media. I think one of the really interesting ones was the spoofscholars campaign, where we saw, we actually sew the opset of someone whois masquerading as a UK scholar and going out and emailing all of these academicsasking them to join this conference. And so you had the openness to collaborateprofessionally allowed this loud, charming kitten to sort of target people that may nothave normally reached out, they may not have reached out to otherwise. Andis there a higher likelihood of a target interacting with or engaging with someone whocomes at them from a more relationship building type of approach then maybe, youknow, spending something that's a little less formal or a little less informal,with a link or an attachment or something like that, like, is ita pretty effective strategy for developing relationships with targets? Yeah, I think that. Overall, you can see people are more willing to interact with and talkto people who are they're familiar with, and I think that translates to thedigital space as well. I mean, I talk to everyone, so Iguess I shouldn't probably say that on a podcast because maybe that just makes meeasy target. But so basically, I shouldn't ask you, Selena, likewhat would it take to get you to respond to one of these emails.You know, I like being friends with everyone. I just you know,but don't, please, don't hack me. Christ I'm not planning on it,but you know, Josh is still in this call, so you neverknow. I turned out to hack people too often take notes. So,okay, going back to the Rani a throat actors you mentioned earlier, andone of the things that if the if we do have time, it mightbecome interesting to talk to because I know that you have developed something of aframework for classifying state actors and they're different objectives and motivations and how close theyare associated with the governments that they are working for or on behalf of.And, as you were saying earlier, you know. But the ones thatyou track are Iran focused. And what does the targeting whether that's not withspoof scholars, it was academics. We...

...see with medical professionals as well,what does the targeting tell us about Iranian government priorities beyond you know what thethreat actors are working on, but what can that tell us about the governmentpolicies and priorities overall? Yeah, so I think first off it depends onthe set. Depends on the group that we're tracking, because some of themare focused on the same targets over and over. They continue to target defensecontractors, dissidents, maybe governments within Iran's spirit of influence, but then youmight see others that have more of ad hoc tax taskings and that others mighthave a mix. So one example that has a mix would be charming kidin or Tia, four hundred and fifty three. So typically they target journalists, human rights organizations, governments at sometimes, but we also saw that in Decemberthey started targeting medical professionals, which is outside of normal tafty three targeting, and we also see them earlier in two thousand and twenty one target someverticals that are outside of their normal targeting as well. So they're one ofthe ones that they're prolific. They do a ton of work and they alsodo both the standard standing parties and the ad hoc and I think especially foriron, when you talk about the ad hoc parties, noticing what's going onpolitically with Iran and geo politically makes a lot of sense because we see actorsreact to what's what's going on the news, both using it for lurs to thenmake their campaigns more realistic but then also responding to different priorities. Thatactually touches really well. Josh on a question I have with kind of theEBB and flow of us around political relations like and how that relationship that canbe very difficult at times. Have you kind of noticed any impact that thathas had on the activity that you do follow? Yeah, so I thinkthat we've seen Iran's demonstrated a clear desire to understand both official US policy butthen also the thoughts of experts adjacent to the government that may be informing thatpolicy, so people that are experts in nuclear policy, Middle East relations andother areas of diplomacy but that are actually in a government role, and Ithink that's sort of interesting because they want to know both what the policy isbut an also who's informed at policy and what what the reasoning is behind it. So I've got a question for you. I guess I'm curious is to youropinion on a couple of things. One I thought it was pretty interestinglast year after the killing US alimony that there was an anticipated retaliation from Romianstate actors to kind of push back and increase their potential CIDER activity against whothey perceive as their enemies and potentially the US is that's responsible for the killings. We didn't see as anticipated that kind of come out. So I'm kindof curious, you know, is they're a sort of growing up, Iguess, or a less reactive Iran and thread actor behavior that we're seeing fromthese groups as they kind of grow and develop and advance their capabilities and interestsand targeting, as you kind of talked about, they they do have kindof broader targeting and they are a little bit more mature in terms of theircapabilities and potentially strategic and forward thinking. So potentially less sort of reactive andmore strategic sort of mindset. And then... kind of follow up on thata little bit, where do you think the Iranian d apt landscape is kindof heading like? What do you anticipate to see from these threat actors inthe future as they do continue to develop and and have a bit more focustype of operations? The big thing is I do think that there is aoverall if you look at aurn cyber long term, there is a an upwardcurve as far as both skills and capabilities, but also the willingness to maybe dorisk your actions. You see it. It's more controlled and we see thatlooking at the Sans Casino that experienced a wiper attack based off of someof the comments made by their CEO and then had that in retaliation. SoI think that's one example where is much more reactive. And then, likeyou said, with Solomani, we saw some hacktivists hacking back, but wedidn't assoly see any organized cyber elements and our state aliine cyber elements. Ithink when we talk about Iranian cyber elements, it's also on and good to understandIranian military and how that works as well, because all lot of timescommanders at lower levels have the desire to sort of prove themselves and sometimes youmay see someone conduct an operation that is sort of riskier and sort of ina way to prove themselves. You see that on the Gulf where the runningnavy boats get super close to the US navy boats a sort of a showmanship, sort of demonstrating hey, I can do this or I'm being risky,and I think the same thing could be said for the running actions in cyberspace. Is that unique to and Ront a actors? When you kind of talkingabout the the showmanship or the risk taking. I do think that it's, atleast from my understanding it is. I I wouldn't say that authoritatively,but from my understanding I do think that is unique to ran. In someways that's really interesting and I think on others, like you're talking about positioningthemselves in the Gulf, in the different ships trying to get close to Israelior US, for example, transportation or for example, you have things likeShimoon, which is kind of pretty show a big impact you have, Ithink, and I'm actually curious about this, your thoughts on this too, ispotential disruptive ransomware attacks that are potentially state aligned with ran. So itdoes seem that they have not just the sort of quiet intelligence gathering, sortof spying operations that we, you know, see typically from abt actors, butoftentimes you might have more sort of disruptive or physically impactful operations from thisgroup as well, these groups overall. Do you have thoughts on that?In My offbase there, when you look specifically at Uran and Israel and theirgeopolitical relationship and going back with the tanker mine attacks, different ports being hacked, you see sort of there's that interplay between Israel and ran and I thinkthat especially is worse, and when it comes to ransomware and wiper wipers,because there's clearly active operations going on and you see these Iranian aligned wipers andransomware, that's becoming more and more prevailent...

...and I think that is something thatwas increasingly worsome, especially once you have I think just last week there weresome ransomware that targeted a hospital in Israel. So I think that Iran seems tobe liking the use of ransomware and wipers and I do think that's worsomebecause when you talk about cyber operations, that really becomes a cyber attack insome ways and I think extremely worrisome for security. And Right now it's Irani. A lot of running groups are focus on Israel, but there's nothing tosay that they couldn't pivot to focus more on the sphere of influence in theMiddle East or towards us in our allies. So, Josh, kind of pivotingoff of that. Are there any other kind of elements that you thinkare worrisome, like other ttps that you would be concerned about? From thatperspective. You mentioned very specifically ransomware and wipers, but I'm just curious thatthere's others. I think really the the ransomware and then the wipers masquerading isransomware. So I think the other thing to consider about those is the psychologicaleffect that those may have. Of If you're living in a society that youhave to worry about your healthcare system going down because of computer problems, willyou worried that that provides additional stress to you and additional things to consider whenyou talk about policy and negotiating and that sort of thing? So I thinkthat's a big one. I think in the background of all of this isa Ron's quest for nuclear proliferation and how does that interact between the US,Uran Israel, the signers of JP Koa, which is the URN deal? AndI think the other point that Selena brought up a while ago was Auran'sactivity is directly impacted by political relations and I think when we want to lookat the future of aurn cyber activities, we do have to watch what happenspolitically with JP Koa and the sanctions that come from Jpicoa. So if theUS ends up negotiating and lifting sanctions, there may not be as much ofa need for several operations to steal an electoral property that was protected by sanctions. On the other hand, if the negotiations fail and Jpkoa doesn't get reinstatedor there's not a deal, then I do think you see the Iranian cyberoperations become more aggressive and possibly targeting organizations that we are part of the deals, or sort of more yeah, I think more aggressive is the best wayto put that. One of the things that I thought was really interesting andkind of departure from typical around activities. You mentioned kind of getting into theyes political source fere and the the proud boys from the two thousand and twentyduring two thousand and twenty election, sort of masquerading as proud boys to conduct, you know, disinformation operations, was something that I thought was really interesting, but does kind of sort of align with what you were saying, thepeacocking or the sort of departure from the typical ttps they're targeting that you thatyou might see. So, a purist, you think we'll see more of that, that type of activity? Yeah, this is my own personal theory andI don't have necessarily evidence to back up this theory, but I completelyagree that the disinformation that was from the...

...proud boys messaging, I think thatwas a great example of peacocking by an Iranian group. I don't think andthe reason I say that is because it was clearly targeted towards the US.But it showed a fundamental misunderstanding of how the US electoral system worked and Ibelieve from a rumor correctly, it was encouraging people to not go out andvote. But then it just it didn't make sense. No Sane political representativewould have done the campaign that they did as far as like advocacy, andso it shows a misunderstanding of what the US political climate was like. Butyou do see that. So it sort of shows the possibility of maybe somethingthat wasn't, a say, coordinated with the highest levels of R on ingovernment. I think my the proudress as well. You also see there aresome dissident blogs that and members of the aspora that are saying, hey,why the heck did we do that, because that's going to really anger theUnited States and bring more sanctions and sort of there was that sort of disclosingthe company that was behind it or disclosing the members of that company. Asort of Chalia should of hey, you're making us more or you making usless safe based off the actions you're taking, and I sort of think that that'sa great example for peacock. And so I don't know. I havenot seen too much about how the government of Iran felt about that campaign andI think if they were okay with it, then will absolutely see more of itin the future, or if they're like ringing in their commanders, Idon't think we'll see as much. So I think that's that's a good question, something definitely to look out for. I think it's important to not assumethat anything that comes from Lauran is automatically associated with the Iranian government, andI think that's a there's more NU once there. It's really interesting. Okay, then I'm going to ask you another question, Josh, if you canput on your prediction hat, what are you anticipating in the next few yearsthat we'll see from IRNNI apets? What do you think the landscape is goingto look like? It's a good question. I think we're going to see increasinglymore campaigns that require more social engineering as far as building rapport with peoplebefore sending now where or malicious you ur else. For currential harvesting. Ialso think that we are going to see just like earlier this year we sawa lot of exportation with Microsoft Exchange. I think that will mirror the landscapefor running act as well, and hopefully we don't see any more, Isee us specific operations, but that's always a possibility. Yeah, fingers crossedfor sure on that one. All right, guys, I have a really seriousquestion, Nasky Josh. So prepare yourself. If you had to chooseone, and now, mind you, one which you're running aptis your favoriteto track right now and why? That's not fair, because I when Ipractice for this, I'd like two or three that I was gonna get apick. I want to make the others jealous. This is the whole point. Okay, I think that I have really liked how I think Tia fourhundred and fifty six, or tortoise Shell,... probably my most fun one totrack. I think that the variety of ways that they do week on, as far as they do targeted spirit fishing to get accounts, they dobenign spamlers to sort of do reconnaissance and then they also do that persona operationson the facebook and Instagram side. I think that whole all of that doingto staff a recon I think makes them a really interesting and determined thread actor. So I think they're probably the most fun and most challenging to track.Of course we do have some private threats that we track that are also SuperFun, and Spooky's secret squirrel, but as public out of the public sets, tea for two six is my my favorite. All right, think you'regoing to make a lot of people jealous. So final question for me. Doyou have any advice for other people who are just kind of starting outand tracking apts in the world of Cyber Threat Intelligence? Yeah, you shoulddo it. It's Super Fun. I would recommend a couple things if you'rejust getting started in cyber threatened Tel Katy Nichols has some really good blog postsabout how to start and CTI, because a lot of people have some ofthe questions. So reading she has a couple blog post I definitely think arecommend I think she's on medium, is like the coins, but definitely agood resource to start for cyber for intelligence overall for a pretty specifically. Thefirst thing I would do is look at public reporting or if your company hasa subscription to like a crowd strike or maintain or someone who does private reported, look at that. But look at companies with unique reporting. See whatthey're writing about, see if you can recreate their work. Do you agreewith their conclusions? Do you not? One of the things I even Ido is I'll all look at when different reports come out from different companies,all look at their data and see, hey, this is some really greatdata that they recommend, that they've analyzed, but I don't necessarily agree with theirconclusions. And I think that's really important to do. And sometimes I'lltouch the authors, and that's a big thing of hey, if they're ifyou eat an apt report and you think it's super interesting, reach out tothe author. A lot of times I'll do that on twitter or Linkedin andchat with them. They put a lot of time, so what into publishingpublic reporting. So taking the time to reach out and ask questions, especiallyif it's if you've read the report and demonstrate a knowledge of like trying tounderstand it more, is worth it if you just ask them and someone one'smessage me only didn't ask me to summarize their report for them. That's lesslikely to be useful. But I think also, if you have a specificgeographic focus, keep the track of the news that might generate some of thatcyberactive we we've talked about a couple different things. That in a urn activityis something to look for. Every organization, every geographic area has the sort ofindy cares and warnings that you might want to look at, and developingthose I think, super important. Yeah, so that's all I have on that, but it's definitely something worth doing. So you're saying to be a betterapt at all list act like an apt and just cold call, reachout to people and pretend that you're interested, and please make sure to send relishipslinks with some mackers that need to being able to really all experience.Ultimately, just just be friendly, like Selena. Be Friendly. Yeah,I mean I'm basically an apt and I...

...of myself Selena PT. Well,Josh, thank you so much. We're ending on very, you know,non serious note, but in all seriousness this is a really great conversation.The work that you have been doing and the research that we've put out inthe last few months has been really awesome and very exciting, and I thinkwe have some fun stuff coming up as well. So thank you so muchfor your time today. Chris and I will be back next month with thenext monthly update of the right I just podcast, but in the meantime,everyone out there, thanks so much for tuning in and happy hunting. You'vebeen listening to protecting people, a podcast byproofpoint. Never miss an episode bysubscribing to the show in your favorite podcast player. Thank you so much forlistening.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (80)