Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK™ and ATT&CK™
May 15, 2019
The internet has been aflame with discussions around three leaks of internal information from APT groups attributed with the Islamic Republic of Iran. One of these leaks was written up by the security firm ClearSky (https://www.clearskysec.com/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf) and details what appears to be an offensive cyber contractor called “Rana Institute” and a collection of documents marked “Secret”. If you’re an Atari old-schooler like me, your mind instantly went to Ranarama.
Aside from retro gaming nostalgia, what was most fascinating was the unique insight into a state-affiliated cyber unit and details their intelligence priorities, target selection, tradecraft and TTPs. We decided to break down the ClearSky report using the Mitre ATT&CK and PRE-ATT&CK framework to put these operations into context with lessons learned for defenders. Where possible, I’ve outlined some mitigation advice at each of these stages.
TL;DR: the attackers’ targets were databases storing confidential and proprietary information. Their main TTP was the use of valid credentials. Their ancillary TTPs (phishing, SQL injection, etc.) were used to acquire valid credentials to help the attackers achieve their goals.
Priority Definition Planning
T1231 – Create strategic plan
The ClearSky report states that in one of the documents, the strategic plan for Iranian cyber activity was “to develop and expand the country’s intelligence gathering and cyber capabilities (developing malware and viruses, various systems, etc.)”
T1230 – Derive intelligence requirements
From the above strategic plan, various intelligence requirements were derived. These include:
- Tracking Iranians
- Tracking Iranians citizens outside of Iran
T1227 – Develop KITs/KIQs
Based on these intelligence requirements, a number of more detailed Key Intelligence Topics (KITs) were developed. A detailed example from the report is the “End of Year 2015” report which lists the following as key topics around international airlines and what information could be obtained from them, specifically:
- Flight information: A number of intelligence opportunities for tracking individuals were discussed
- Passenger information: personal details of passengers which could have an intelligence value, specifically around tracking
- Flight crew information: details of which pilots were flying which routes
- Airline employee information: details of key employees such as network admins
- Equipment information: not only about the airplanes but also the IT equipment
- Financial health status of the airline
Priority Definition Planning
T1241 – Determine strategic target
Based on the intelligence requirements and KITs, a number of airlines were selected as strategic targets. Among the airlines mentioned in the leaked data were:
- Ethiopian Airlines
- Malaysian Airlines
- Philippine Airlines
- Thai Airways
- Jet Airways
The attackers targeted a wide-range of other targets including government departments, hotel booking websites, telecoms and IT companies.
T1245 – Determine approach/attack vector
One notable detail in the report is that the attackers undertook some preparation sessions in order to learn about the Airline sector in detail by understanding how Iranian airlines operating inside of Iran function including details about the Operational Technologies (OT) which are in use by the airlines and airports.
Technical Information Gathering
T1247 – Acquire OSINT data sets and information
In one attack, the attackers “mapped all the IP addresses, the domains, the websites, and the apps used” by the target. This is a standard approach when profiling a target and provides the attackers with a set of potential targets which then can be investigated further.
Figure 1 – A screenshot from the released files, showing server IP addresses, usernames, and passwords
T1250 – Determine domain and IP address space
One of the first steps taken by the attackers was to footprint the target organizations, in particular their external network footprint.
T1252 – Map network topology
Once the IP space for the target organization was determined, the attackers then mapped out the network topology in particular looking for the target’s websites and any associated websites.
T1259 – Determine external network trust dependencies
The report details how one target organization was breached via use of the organization’s own VPN. In order to discover the VPN in question, the attackers would have needed to have performed the necessary reconnaissance activities to successfully discover the VPN.
T1263 – Identify security defensive capabilities
One section of the report details the problems that the attackers encountered while attempting to breach their targets. Effective firewalls were listed as one particular control which obstructed the attacker’s activity.
T1253 – Conduct passive scanning and T1254 – Conduct active scanning
When the attackers had concluded enough footprinting work to identify the IP ranges in use they would have scanned these ranges. The report does not specify whether active or passive scanning was used, however.
People Information Gathering
T1271 Identify personnel with an authority/privilege
The attackers looked for key personnel in organizations that would help them complete their mission. One example was DBAs (Database Administrators) and Systems Administrators. According to the report, the attackers would often gain an initial foothold in the target environment either by exploiting an Internet-facing service or by (spear)phishing an employee. Once inside, the attackers would hunt for information that would identify administrators of various types of systems and then attack them. It does not appear to be the case that the attackers were attempting to profile admins externally by using, for example, social media.
Technical Weakness Identification
T1293 – Analyze application security posture
The attackers used a two-pronged approach of exploitation of Internet-facing network services and social engineering campaigns to breach their targets. In terms of network exploitation, the attackers would attempt to identify vulnerable servers and software. Judging by the data in the leak, such as references to tools and technologies, the attackers were using older tools such as Havij for SQL injection and exploiting older software stacks such as Cold Fusion. If the attackers were unsuccessful in exploiting a website for an initial foothold, they would attempt to use phishing attacks instead.
Establish & Maintain Infrastructure
T1329- Acquire and/or use 3rd party infrastructure services
Bitcoin was used by the attackers for various online purchases. The attackers used a separate VMWare instance for their cryptocurrency trading. It is common for attackers to use cryptocurrencies for the purchase of infrastructure due to its perceived anonymity properties.
Digital Shadows mitigation advice: continuous assessment of externally-facing infrastructure and organizational assets beyond the network perimeter can assist in reducing an organization’s attack surface.
T1190 – Exploit Public-Facing Application
Conversations leaked in the data dump indicate that the attackers were targeting Cold Fusion instances. The goal was to install a webshell on the server. There is no further detail on which versions were attacked or which exploits were used, but there are public exploits for known Cold Fusion vulnerabilities which may be part of the attacker’s arsenal, e.g., https://www.exploit-db.com/exploits/45979.
The Havij tool for SQL injection can also be used to gain remote code execution (RCE) in certain situations. As many of the attacker’s goals were centered around gaining access to databases, it appears to be a standard approach for the attackers to gain initial access.
Digital Shadows mitigation advice: software and services which are vulnerable to publicly available exploits are highly likely to be exploited by an attacker. Any service which is Internet-facing should be patched in a timely manner to prevent both targeted and opportunistic attacks. In cases where it is not possible to patch a service, an additional compensating control, such as IP whitelisting may need to be used.
T1133 – External Remote Services and T1078 – Valid Accounts
The report states that in one case, the attackers used the target’s own VPN to gain access. It is likely therefore that the attackers had somehow gathered, guessed or dumped valid credentials for this VPN. Another attack used RDP/Citrix to gain initial access to the target.
Digital Shadows mitigation advice: remote access solutions such as VPNs or RDP servers need to have 2 factor authentication (2FA) enabled to prevent credential theft or brute forcing attacks. In cases where it is not possible to upgrade a necessary remote access solution, an additional compensating control, such as IP whitelisting may need to be used.
T1193 – Spearphishing Attachment
The attackers used a variety of phishing and spearphishing techniques in order to breach their target. The report states that “The attackers used a compromised email of a Fly Dubai employee to send phishing emails to other employees. The email contained an attachment of a malicious Excel file with various flight lists” and “out of the 40 recipiences 5 individuals opened the email and infected their computers”. This shows creative usage of an existing asset by the attackers and an effective way of bypassing many peoples’ defenses when it comes to spotting phishing emails, namely, the emails came from a trusted source.
Digital Shadows Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. 2FA is essential for email accounts, especially with a security key where possible. Employees should be made aware that personal accounts are regularly targeted by certain adversaries and to not enter credentials online unless they are expecting to do so.
T1204 – User Execution and T1064 – Scripting
While the report details that the attackers sent spearphishing emails to their targets, it is not detailed how the attackers gained code execution. Given the standard nature of the other tools used by the attackers, it is assessed as likely that they used VBA macros in Microsoft Office documents with some social engineering text and images to cloak the true nature of the attachment.
Digital Shadows mitigation advice: Attack surface reduction through the disabling of Windows scripting systems where appropriate is a powerful technique for mitigating against email-borne threats. The ACSC (Australian Cyber Security Centre) has detailed guidance available for how to disable macros, including considering business processes and legitimate business requirements for macros and how to mitigate the risk incurred by them. OLE package activation can also be disabled where possible. LNK files can be blocked by email filtering gateways to prevent the files from reaching targeted users. Windows Script Host (WSH) can be disabled if possible or restricted where not to mitigate its risks. Security awareness training should be used to educate users as to the warning signs of phishing emails in order to reduce the number of infections.
T1078 – Valid Accounts
One element of tradecraft which is common to all the attacks described in the report is the attackers’ emphasis on credentials. Whether it is for breaching external services, performing privilege escalation, lateral movement or access to databases, the attackers’ go-to TTP is valid accounts. The report details that in many cases the attackers were looking for administrator credentials, especially for network and systems administrators and DBAs. It is not detailed exactly how these privileged accounts were obtained, but one leaked file shows the usage of Mimikatz (see section below on Credential Dumping) and this is one likely path that additional privileged credentials were obtained.
Digital Shadows Mitigation advice: Patching operating systems and applications to prevent privilege escalation is important, as well as limiting who has access to admin accounts. Privileged Identity Management (PIM) and Privileged Access Management solutions can provide added oversight to prevent accounts being misused and abused.
T1003 – Credential Dumping
The figure below clearly demonstrates the usage of the well-known, open source security tool Mimikatz by the attackers:
Figure 2 – Usage of Mimikatz by the attackers
Mimikatz has many functions, one of which is to dump credentials from memory. In certain configurations Mimikatz is capable of recovering the plaintext passwords for all users on the system. This appears to be what happened in the leaked log files. Since Mimikatz requires Administrator privileges to run, the attackers already had a privileged position in the environment in terms of access before they dumped the credentials.
Digital Shadows mitigation advice: limiting administrator credentials to only those users who have a business requirement to have that level of access is an effective way to limit how much access an attacker can gain with Mimikatz. A modern EDR system with in-memory scanning capabilities can detect the usage of Mimikatz, indeed the attackers themselves noted that “Robust anti-virus installed on critical systems” inhibited their operations. The most recent versions of Windows have a variety of mitigations against some Mimikatz techniques. Administrators of legacy systems can review the detailed guidance in this article.
T1110 – Brute Force
In one attack, the attackers gained access to a Linux system which they used to install the Hydra bruteforcing tool which was used to bruteforce SMB (Server Message Block) credentials for access to a Windows environment. Hydra works by using a common or custom username and password list and attempting to authenticate to a server using each username/password combination in the list and logging the successful credentials.
Digital Shadows mitigation advice: logging multiple unsuccessful login events in a SIEM or other log management tool is an effective way to catch off-the-shelf brute force tools which do not by default attempt to hide their attempts. Microsoft has guidance available for Windows 10 machines. Multiple user reports of being locked out of their account can be a sign of brute force activity.
T1046 – Network Service Scanning, T1018 Remote System Discovery and T1135 – Network Share Discovery
The report does not go into detail as to how the attackers performed discovery inside of a compromised target environment, however it is clear that the attackers performed extensive internal reconnaissance looking for high-value targets. The reports states that one attacker behavior was to attempt to identify the Domain Controller in the network. Other sections of the report details that the attackers attempted to retrieve network architecture information from compromised data stores.
Digital Shadows mitigation advice: A tuned SIEM can assist in detecting port scans, Active Directory enumeration activity and other internal reconnaissance activity. It is also advised that network diagrams and other internal information is restricted in its distribution given its utility to attackers.
T1021 – Remote Services and T1035 – Service Execution
In the dump there are extracts from the attackers’ own notes that reveals the use of the SysInternals tool psexec for lateral movement. This is a standard systems administration tool which is often used by attackers as it is a signed Microsoft binary, but it also part of many attack toolkits like Powershell Empire and Cobalt Strike. Additionally, given that the focus of their tradecraft was taking advantage of stolen credentials, it is assessed as likely that the attackers would have used remote services such as RDP (this is mentioned in the report) in order to move around the internal network.
Figure 3: A screenshot from the released files demonstrating the usage of psexec by the attackers for lateral movement
Digital Shadows mitigation advice: The attackers themselves noted that “strong firewalls” and “network segmentation” were effective at inhibiting their activity. While all controls can potentially be bypassed given enough time and resources, the goal as network defenders is to increase attacker costs. These mitigations do exactly that. Additionally, they also create detection possibilities as the attackers need to invest effort in circumventing controls which can be a noisy process.
T1213 – Data from Information Repositories, T1005 – Data from Local System and T1039 – Data from Network Shared Drive
The attacker goals are clearly articulated from the leak: they are targeting databases with sensitive, internal information. The report describes in many cases how the attackers were targeting Oracle, MS-SQL, IBM DB/2 and other database technologies. The DBAs responsible for these databases were high-value targets for the attackers and they invested significant effort in gaining access to their credentials either through theft or bruteforcing. SQL injection was also extensively to gain access to databases behind externally-facing websites. The attackers were after information that supported their collection requirements as detailed in the PRE-ATT&CK section of this blog.
The attackers were actively collecting information on the network architecture used by the target organization once inside. This information could be located in information repositories, network shares or even the local system that the attackers had gained access to.
Digital Shadows mitigation advice: Large amounts of storage being used up unexpectedly is another signal that something potentially suspicious is occurring. Monitoring of key servers to ensure that only specific scripts, such as PowerShell scripts, are able to run and that the appropriate logging is in place to monitor PowerShell and other scripting activity is important. Monitoring account activity, including admin accounts, is important for uncovering anomalous and/or malicious behavior.
The leaked data describes an operationally sophisticated set of espionage campaigns conducted by a mature collection bureaucracy. While the technical sophistication of the campaigns was not extremely high, they were clearly effective. The attackers had clear goals, driven by collection requirements, and were persistence in their attempts to achieve them. The attackers were highly focused on databases maintained by their targets and all of their offensive activity was centered around gaining access to these. Use of valid credentials was the attackers’ main technique and their other ancillary techniques were used to gain access to credentials, especially privileged credentials used by administrators.