Frequently Asked Questions About Iranian Cyber Operations
Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.
BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists.
This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.
FAQHas there been an increase in threat activity related to Iran-based threat actors?
While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks.
Which threat actors are believed to be Iran-based or linked to the Iranian government?
In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.
Threat actorActivityHomeLand JusticeCarried out destructive attacks against the Government of Albania in 2022, utilizing ransomware and disk wiping malware.Pioneer Kitten
Fox Kitten
UNC757
Parisite
RUBIDIUM
Lemon Sandstorm
Br0k3r
xplfinder
Collaborates with ransomware groups in order to monetize access to victim networks. Known to exploit common and well-known vulnerabilities in internet-facing devices and critical infrastructure.CyberAv3ngersAttacked and defaced OT devices, including Unitronics PLC devices commonly used in water and wastewater systems.APT35
CALANQUE
Charming Kitten
CharmingCypress
ITG18
Mint Sandstorm (formerly Phosphorus)
Newscaster
TA453
Yellow Garuda
Educated Manticore
APT42*
Agent Serpens
UNC788
Social engineering campaigns targeting journalists and internet-facing applications
*APT42 is a subcluster of APT35 and also poses as journalists in order to harvest credentials. Some aliases overlap between these groups.
APT34
OilRig
Helix Kitten
Hazel Sandstorm
Earth Simnavaz
Exploits internet-facing servers and uses supply chain attacks to target finance, energy, chemical, telecommunications and government sectors.MuddyWater
Earth Vetala
MERCURY
Static Kitten
Seedworm
TEMP.Zagros
Uses remote monitoring and management tools to target telecom companies in the Middle East and North Africa, Europe and North America.Agrius
Pink Sandstorm
Targets Israeli companies with wiper malware disguised as ransomwareImperial KittenAn APT group that has targeted Israeli transportation/logistics and technology sectorsBanished Kitten
Dune
Known as "Faketivist" for its attempts to masquerade as hacktivist groups due to their adoption of TTPs used by hacktivist groupsWhat are the vulnerabilities that have been targeted by Iranian threat actors?
The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.
CVEDescriptionCVSSv3 ScoreVPRCVE-2017-11774Microsoft Outlook Security Feature Bypass Vulnerability7.88.9CVE-2018-13379Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3]9.89.0CVE-2019-0604Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1]9.88.9CVE-2019-11510Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4]10.08.1CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9]9.88.9CVE-2019-5591Fortinet FortiOS Default Configuration [1] [2]6.56.6CVE-2020-12812Fortinet FortiOS Improper Authentication [1] [2]9.88.9CVE-2020-1472Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5]1010CVE-2021-31207Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3]6.66.6CVE-2021-34473Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3]9.89.2CVE-2021-34523Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3]9.09.6CVE-2021-44228Apache Log4j RCE (Log4Shell) [1] [2] [3] [4]1010CVE-2021-45046Apache Log4j2 Denial of Service (DoS) and RCE [1] [2]9.08.1CVE-2021-45105Apache Log4j2 DoS [1] [2]5.96.6CVE-2022-1388F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3]9.89.0CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection [1] [2]9.89.6CVE-2022-30190Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3]7.89.8CVE-2022-42475Fortinet ForiOS Heap-Based Buffer Overflow [1] [2]9.88.9CVE-2022-47966Zoho ManageEngine RCE [1]9.89.7CVE-2022-47986IBM Aspera Faspex RCE9.89.0CVE-2023-27350PaperCut NG Authentication Bypass9.89.0CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2]9.89.0CVE-2023-38831RARLAB WinRAR Arbitrary Code Execution7.89.7CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2]8.26.7CVE-2023-6448Unitronics VisiLogic Default Administrative Password9.87.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3]9.19.8CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability [1] [2]8.67.1CVE-2024-30088Windows Kernel Elevation of Privilege Vulnerability [1] [2]7.09.6CVE-2024-3400Palo Alto PAN-OS Command Injection Vulnerability [1] [2]10.010.0*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time.
Has Tenable released any product coverage for these vulnerabilities?
The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:
- CVE-2017-11774
- CVE-2018-13379
- CVE-2019-0604
- CVE-2019-11510
- CVE-2019-19781
- CVE-2019-5591
- CVE-2020-12812
- CVE-2020-1472
- CVE-2021-31207
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- CVE-2022-1388
- CVE-2022-26134
- CVE-2022-30190
- CVE-2022-42475
- CVE-2022-47966
- CVE-2022-47986
- CVE-2023-27350
- CVE-2023-3519
- CVE-2023-38831
- CVE-2023-46805
- CVE-2023-6448
- CVE-2024-21887
- CVE-2024-24919
- CVE-2024-30088
- CVE-2024-3400
These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors.
Tenable attack path techniques
MITRE ATT&CK IDDescriptionTenable attack path techniquesT1003.001OS Credential Dumping: LSASS MemoryT1003.001_WindowsT1012Query RegistryT1012_WindowsT1021.001Remote Services: Remote Desktop ProtocolT1021.001_WindowsT1047Windows Management InstrumentationT1047_WindowsT1053.005Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1069.002Permission Groups Discovery: Domain GroupsT1069.002_WindowsT1069.003Permission Groups Discovery: Cloud GroupsT1078.001Valid Accounts: Default AccountsT1078.001_ICST1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1078.003Valid Accounts: Local AccountsT1078.003_WindowsT1078.004Valid Accounts: Cloud AccountsT1078.004_AzureT1082System Information DiscoveryT1082T1098Account ManipulationT1133External Remote ServicesT1190Exploit Public-Facing ApplicationT1190_AwsT1219Remote Access SoftwareT1219_WindowsT1482Domain Trust DiscoveryT1482_WindowsT1484.002Domain or Tenant Policy Modification: Trust ModificationT1484.002_AzureT1499Endpoint Denial of ServiceT1499.004T1555Credentials from Password StoresT1558.003Steal or Forge Kerberos Tickets: KerberoastingT1558.003_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK IDDescriptionIndicatorsT1003.001OS Credential Dumping: LSASS MemoryC-PROTECTED-USERS-GROUP-UNUSED
T1068Exploitation for Privilege EscalationI-SamNameImpersonationT1078Valid AccountsC-DANGEROUS-SENSITIVE-PRIVILEGES
MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT
MISSING-MFA-FOR-PRIVILEGED-ACCOUNT
T1078.001Valid Accounts: Default AccountsGUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLE
GUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTS
T1098Account ManipulationC-SENSITIVE-CERTIFICATES-ON-USER
CONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATION
ENTRA-SECURITY-DEFAULTS-NOT-ENABLED
LEGACY-AUTHENTICATION-NOT-BLOCKED
MFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLE
MFA-NOT-REQUIRED-FOR-RISKY-SIGN-INS
MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT
MISSING-MFA-FOR-PRIVILEGED-ACCOUNT
SHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONS
T1110Brute ForceT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONT1589Gather Victim Identity InformationT1556Modify Authentication ProcessT1558.003Steal or Forge Kerberos Tickets: KerberoastingTenable Web App Scanning
MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASTenable OT Security
MITRE ATT&CK IDDescriptionIndicatorsT0812Exploit Public-Facing ApplicationT0812_ICSWhat else should I do to remain secure?
Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend:
- Using strong passwords and enforcing a strong password policy
- Enabling multi-factor authentication (MFA)
- Changing default passwords, especially on OT hardware
- Patching vulnerabilities in assets exposed to the internet
- Identifying and prioritizing your most valuable assets for remediation
- Developing a remediation plan and continuing to test and improve it
- Tenable Blog: Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack Risks
- Tenable Blog: AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
- Tenable Blog: AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
- Department of Homeland Security National Terrorism Advisory System Bulletin - June 22, 2025
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.