Skip to content

Iranian Government Affiliated Intrusions: Documented Tradecraft

When geopolitical tensions rise, defenders tend to ask the same question: What does Iranian cyber activity actually look like on the wire?

Rather than speculate, it’s far more productive to focus on documented tradecraft observed in real intrusions and published by CISA, FBI, and NSA.

Across multiple joint advisories, Iranian government-affiliated actors have consistently demonstrated:

  • Heavy reliance on built-in Windows administrative tools
  • Rapid Active Directory discovery after initial access
  • Credential dumping using native capabilities
  • Service creation and scheduled tasks for lateral movement
  • Selective destructive behavior

Primary Sectors

  • Critical Infrastructure
    • Water and Wastewater Systems
    • Energy Sector
    • Industrial Control Systems (ICS) environments
  • Defense Industrial Base (DIB)
  • U.S. Government Entities
    • Federal agencies
    • State and local government organizations
  • Healthcare and Public Health Sector
  • Information Technology & Managed Service Providers (MSPs)

Iranian State-Linked APTs (with MITRE ATT&CK Links)

  1. APT33 (Holmium / Elfin / Peach Sandstorm) - G0064 - One of the most well-documented Iranian APTs. Targets aerospace, energy, and defense sectors with espionage and sometimes destructive operations.
  2. MuddyWater - G0069 - A cyber espionage group assessed to be part of Iran’s Ministry of Intelligence and Security (MOIS). Active against government and private organizations globally.
  3. APT39 (Chafer / ITG07 / Remix Kitten) - G0087 - Known for espionage targeting travel, telecom, and information technology sectors.
  4. CopyKittens - G0052 - An Iranian cyber espionage group tracked for operations dating back to at least 2013.
  5. CURIUM (Crimson Sandstorm / TA456) - G1012 - Tracked as an Iranian threat group with sustained activity targeting IT service providers and other organizations.
  6. Magic Hound - G0059 - Identified by MITRE as an Iranian-sponsored cyber espionage group (sometimes associated with Charming Kitten overlaps).
  7. CyberAv3ngers - G1027 - A suspected IRGC-affiliated APT group with activity claims (note: attribution is debated in public reporting).

Documented Activity Observed in Recent Iranian Intrusions

Active Directory Discovery

nltest /dclist
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Administrators" /domain
net user /domain
net accounts /domain
net view /domain

Commands used for domain/user discovery

PowerShell LDAP Query

$i=0
$D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$L='LDAP://' . $D
$D = [ADSI]$L
$str = '(&(objectcategory=computer)(operatingSystem=*serv*))'
$s = [adsisearcher]$str
$s.searchRoot = $L.$D.distinguishedName
$s.PropertiesToLoad.Add('cn') > $Null
$s.PropertiesToLoad.Add('operatingsystem') > $Null
Foreach ($CA in $s.FindAll()) {
    Write-Host $CA.Properties.Item('cn')
    $CA.Properties.Item('operatingsystem')
}

PowerShell to query Active Directory (AD) using Lightweight Directory Access Protocol (LDAP). The script is used to enumerate computer objects within the directory, retrieving attributes such as hostnames, operating systems, and distinguished names.

Signed Binary Proxy Execution (LOLBins)

Explicitly documented in AA22-055A:

  • mshta.exe
  • CMSTP.exe (with malicious .INF)
  • rundll32.exe (via Registry Run key)
  • .NET csc.exe (compile after delivery)

Credential Access

Observed credential enumeration (AA24-290A):

Cmdkey /list

Used to enumerate cached credentials on compromised systems.

LSASS Dumping

rundll32.exe comsvcs.dll, MiniDump
procdump.exe -ma lsass.exe

Archive & Staging

Observed tool (AA22-055A): makecab.exe

Used to compress collected data prior to exfiltration.

Final Takeaway for Defenders

Iranian government-affiliated operators consistently demonstrate:

  • Living-off-the-land tradecraft
  • Active Directory-centric operations
  • Credential dumping before lateral movement
  • Scheduled tasks and services for persistence
  • Destructive capability via shadow copy deletion

Mitigations (Per CISA AA24-290A)

  • Implement phishing-resistant MFA [CPG 2.H]
  • Continuously review MFA coverage across all internet-facing services [CPG 2.W]
  • Disable accounts for departing staff immediately [CPG 2.D]
  • Ensure password policies align with NIST Digital Identity Guidelines
    • Enforce minimum password strength [CPG 2.B]
    • Avoid common passwords (e.g., seasonal formats)

Helpdesk & Credential Controls

  • Review IT helpdesk password reset procedures
  • Ensure identity verification aligns with policy
  • Prevent weak reset practices

User Awareness

  • Provide basic cybersecurity training [CPG 2.I]
  • Train users to deny unexpected MFA requests
  • Encourage reporting of failed login attempts [CPG 2.G]

Infrastructure Hardening

  • Disable RC4 for Kerberos authentication
  • Audit internet-facing VPNs and edge appliances
  • Validate MFA on all exposed protocols

Validate Security Controls (Per CISA Guidance)

CISA recommends testing security controls against ATT&CK techniques described in advisories:

  1. Select a documented ATT&CK technique
  2. Align security technologies to the technique
  3. Test detection & prevention capability
  4. Analyze performance
  5. Tune people, processes, and tools
  6. Repeat continuously at scale in production environments

This structured validation approach ensures defensive controls perform effectively against documented Iranian TTPs.

Read On