Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists. This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.
FAQ
Has there been an increase in threat activity related to Iran-based threat actors? While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks. Which threat actors are believed to be Iran-based or linked to the Iranian government? In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.
| Threat actor | Activity |
|---|---|
| HomeLand Justice | Carried out destructive attacks against the Government of Albania in 2022, utilizing ransomware and disk wiping malware. |
| Pioneer Kitten Fox Kitten UNC757 Parisite RUBIDIUM Lemon Sandstorm Br0k3r xplfinder | Collaborates with ransomware groups in order to monetize access to victim networks. Known to exploit common and well-known vulnerabilities in internet-facing devices and critical infrastructure. |
| CyberAv3ngers | Attacked and defaced OT devices, including Unitronics PLC devices commonly used in water and wastewater systems. |
| APT35 CALANQUE Charming Kitten CharmingCypress ITG18 Mint Sandstorm (formerly Phosphorus) Newscaster TA453 Yellow Garuda Educated Manticore APT42* Agent Serpens UNC788 | Social engineering campaigns targeting journalists and internet-facing applications *APT42 is a subcluster of APT35 and also poses as journalists in order to harvest credentials. Some aliases overlap between these groups. |
| APT34 OilRig Helix Kitten Hazel Sandstorm Earth Simnavaz | Exploits internet-facing servers and uses supply chain attacks to target finance, energy, chemical, telecommunications and government sectors. |
| MuddyWater Earth Vetala MERCURY Static Kitten Seedworm TEMP.Zagros | Uses remote monitoring and management tools to target telecom companies in the Middle East and North Africa, Europe and North America. |
| Agrius Pink Sandstorm | Targets Israeli companies with wiper malware disguised as ransomware |
| Imperial Kitten | An APT group that has targeted Israeli transportation/logistics and technology sectors |
| Banished Kitten Dune | Known as “Faketivist” for its attempts to masquerade as hacktivist groups due to their adoption of TTPs used by hacktivist groups |
What are the vulnerabilities that have been targeted by Iranian threat actors? The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.
| CVE | Description | CVSSv3 Score | VPR |
|---|---|---|---|
| CVE-2017-11774 | Microsoft Outlook Security Feature Bypass Vulnerability | 7.8 | 8.9 |
| CVE-2018-13379 | Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1] | 9.8 | 8.9 |
| CVE-2019-11510 | Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4] | 10.0 | 8.1 |
| CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9] | 9.8 | 8.9 |
| CVE-2019-5591 | Fortinet FortiOS Default Configuration [1] [2] | 6.5 | 6.6 |
| CVE-2020-12812 | Fortinet FortiOS Improper Authentication [1] [2] | 9.8 | 8.9 |
| CVE-2020-1472 | Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5] | 10 | 10 |
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3] | 6.6 | 6.6 |
| CVE-2021-34473 | Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3] | 9.8 | 9.2 |
| CVE-2021-34523 | Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3] | 9.0 | 9.6 |
| CVE-2021-44228 | Apache Log4j RCE (Log4Shell) [1] [2] [3] [4] | 10 | 10 |
| CVE-2021-45046 | Apache Log4j2 Denial of Service (DoS) and RCE [1] [2] | 9.0 | 8.1 |
| CVE-2021-45105 | Apache Log4j2 DoS [1] [2] | 5.9 | 6.6 |
| CVE-2022-1388 | F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2022-26134 | Atlassian Confluence Server and Data Center OGNL Injection [1] [2] | 9.8 | 9.6 |
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3] | 7.8 | 9.8 |
| CVE-2022-42475 | Fortinet ForiOS Heap-Based Buffer Overflow [1] [2] | 9.8 | 8.9 |
| CVE-2022-47966 | Zoho ManageEngine RCE [1] | 9.8 | 9.7 |
| CVE-2022-47986 | IBM Aspera Faspex RCE | 9.8 | 9.0 |
| CVE-2023-27350 | PaperCut NG Authentication Bypass | 9.8 | 9.0 |
| CVE-2023-3519 | Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2] | 9.8 | 9.0 |
| CVE-2023-38831 | RARLAB WinRAR Arbitrary Code Execution | 7.8 | 9.7 |
| CVE-2023-46805 | Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2] | 8.2 | 6.7 |
| CVE-2023-6448 | Unitronics VisiLogic Default Administrative Password | 9.8 | 7.4 |
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3] | 9.1 | 9.8 |
| CVE-2024-24919 | Check Point Security Gateway Information Disclosure Vulnerability [1] [2] | 8.6 | 7.1 |
| CVE-2024-30088 | Windows Kernel Elevation of Privilege Vulnerability [1] [2] | 7.0 | 9.6 |
| CVE-2024-3400 | Palo Alto PAN-OS Command Injection Vulnerability [1] [2] | 10.0 | 10.0 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time. Has Tenable released any product coverage for these vulnerabilities? The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages: CVE-2017-11774 CVE-2018-13379 CVE-2019-0604 CVE-2019-11510 CVE-2019-19781 CVE-2019-5591 CVE-2020-12812 CVE-2020-1472 CVE-2021-31207 CVE-2021-34473 CVE-2021-34523 CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2022-1388 CVE-2022-26134 CVE-2022-30190 CVE-2022-42475 CVE-2022-47966 CVE-2022-47986 CVE-2023-27350 CVE-2023-3519 CVE-2023-38831 CVE-2023-46805 CVE-2023-6448 CVE-2024-21887 CVE-2024-24919 CVE-2024-30088 CVE-2024-3400 These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors. Tenable attach path techniques
| MITRE ATT&CK ID | Description | Tenable attack path techniques |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | T1003.001_Windows |
| T1012 | Query Registry | T1012_Windows |
| T1021.001 | Remote Services: Remote Desktop Protocol | T1021.001_Windows |
| T1047 | Windows Management Instrumentation | T1047_Windows |
| T1053.005 | Scheduled Task/Job: Scheduled Task | T1053.005_Windows |
| T1059.001 | Command and Scripting Interpreter: PowerShell | T1059.001_Windows |
| T1068 | Exploitation for Privilege Escalation | T1068_Windows |
| T1069.002 | Permission Groups Discovery: Domain Groups | T1069.002_Windows |
| T1069.003 | Permission Groups Discovery: Cloud Groups | T1069.003_Azure T1069.003_AWS |
| T1078.001 | Valid Accounts: Default Accounts | T1078.001_ICS |
| T1078.002 | Valid Accounts: Domain Accounts | T1078.002_Windows |
| T1078.003 | Valid Accounts: Local Accounts | T1078.003_Windows |
| T1078.004 | Valid Accounts: Cloud Accounts | T1078.004_Azure |
| T1082 | System Information Discovery | T1082 |
| T1098 | Account Manipulation | T1098.001_Azure T1098.001_AWS T1098.003_Azure T1098.004 |
| T1133 | External Remote Services | T1133_AWS T1133_Azure T1133_Windows |
| T1190 | Exploit Public-Facing Application | T1190_Aws |
| T1219 | Remote Access Software | T1219_Windows |
| T1482 | Domain Trust Discovery | T1482_Windows |
| T1484.002 | Domain or Tenant Policy Modification: Trust Modification | T1484.002_Azure |
| T1499 | Endpoint Denial of Service | T1499.004 |
| T1555 | Credentials from Password Stores | T1555.004_Windows T1555.006 |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | T1558.003_Windows |
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | C-PROTECTED-USERS-GROUP-UNUSED I-ProcessInjectionLsass |
| T1068 | Exploitation for Privilege Escalation | I-SamNameImpersonation |
| T1078 | Valid Accounts | C-AAD-PRIV-SYNC C-AAD-SSO-PASSWORD C-ADM-ACC-USAGE C-ADMIN-RESTRICT-AUTH C-ADMINCOUNT-ACCOUNT-PROPS C-AUTH-SILO C-BAD-SUCCESSOR C-CLEARTEXT-PASSWORD C-DANG-PRIMGROUPID C-DANGEROUS-SENSITIVE-PRIVILEGES C-DC-ACCESS-CONSISTENCY C-DSHEURISTICS C-EXCHANGE-MEMBERS C-KERBEROS-CONFIG-ACCOUNT C-KRBTGT-PASSWORD C-MSA-COMPLIANCE C-NATIVE-ADM-GROUP-MEMBERS C-PASSWORD-DONT-EXPIRE C-PASSWORD-HASHES-ANALYSIS C-PASSWORD-NOT-REQUIRED C-PASSWORD-POLICY C-PKI-DANG-ACCESS C-PRIV-ACCOUNTS-SPN C-PROP-SET-SANITY C-REVER-PWD-GPO C-SERVICE-ACCOUNT C-SLEEPING-ACCOUNTS C-USER-PASSWORD HIGH-NUMBER-OF-ADMINISTRATORS MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT MISSING-MFA-FOR-PRIVILEGED-ACCOUNT |
| T1078.001 | Valid Accounts: Default Accounts | UNRESTRICTED-GUEST-ACCOUNTS C-GUEST-ACCOUNT GUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLE GUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTS |
| T1098 | Account Manipulation | C-AAD-CONNECT C-ABNORMAL-ENTRIES-IN-SCHEMA C-CREDENTIAL-ROAMING C-DANG-PRIMGROUPID C-DC-ACCESS-CONSISTENCY C-EXCHANGE-PERMISSIONS C-PROP-SET-SANITY C-SDPROP-CONSISTENCY C-SENSITIVE-CERTIFICATES-ON-USER C-SHADOW-CREDENTIALS CONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATION ENTRA-SECURITY-DEFAULTS-NOT-ENABLED LEGACY-AUTHENTICATION-NOT-BLOCKED MFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLE MFA-NOT-REQUIRED-FOR-RISKY-SIGN-INS MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT MISSING-MFA-FOR-PRIVILEGED-ACCOUNT SHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONS USER-WITH-API-TOKEN |
| T1110 | Brute Force | C-PASSWORD-HASHES-ANALYSIS C-PASSWORD-POLICY I-PasswordSpraying |
| T1190 | Exploit Public-Facing Application | APPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION |
| T1589 | Gather Victim Identity Information | C-DSHEURISTICS C-PRE-WIN2000-ACCESS-MEMBERS |
| T1556 | Modify Authentication Process | C-AAD-PRIV-SYNC C-SHADOW-CREDENTIALS |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | I-Kerberoasting I-UnauthKerberoasting |
Tenable Web App Scanning
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1190 | Exploit Public-Facing Application | T1190_WAS |
Tenable OT Security
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T0812 | Exploit Public-Facing Application | T0812_ICS |
What else should I do to remain secure? Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend: Using strong passwords and enforcing a strong password policy Enabling multi-factor authentication (MFA) Changing default passwords, especially on OT hardware Patching vulnerabilities in assets exposed to the internet Identifying and prioritizing your most valuable assets for remediation Developing a remediation plan and continuing to test and improve it
Get more information
Tenable Blog: Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack Risks Tenable Blog: AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations Tenable Blog: AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks Department of Homeland Security National Terrorism Advisory System Bulletin – June 22, 2025 Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. 
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/06/frequently-asked-questions-about-iranian-cyber-operations/
