CYBER

THREAT
ANALYSIS
IRAN
By Insikt Group®
March 30, 2022

Social Engineering
Remains Key Tradecraft
for Iranian APTs
CYBER THREAT ANALYSIS | IRAN

Key Judgments
• The use of social engineering is a central component of
Iranian APT tradecraft when engaging in cyber espionage
and information operations. Iranian APTs will continue
to modify their tradecraft, including phishing, spoofing,
smishing, and other techniques to target their victims.
This report covers Iranian social engineering cases and methodologies. It • Multiple Iranian threat activity groups use social
serves those looking to better understand, prepare for, and preempt an attack by engineering. APT35, APT34, and Tortoiseshell remain
Iranian operators against their personnel and organization and benefits Iran-focused
analysts researching topics associated with Iranian social engineering to understand among the earliest and most aggressive adopters of
their typical targets, organizations, and objectives. Sources include the Recorded social engineering to aid their intrusion or credential theft
Future® Platform and industry reporting from Microsoft, Proofpoint, ClearSky,
FireEye, Mandiant, and CitizenLab, among other open sources.
operations. We expect these groups to continue to lead
attacks using social engineering techniques in the future.

Executive Summary • Patterns in Iranian social engineering attacks suggest

they aim to drive targets to multiple platforms; this
Since 2010, pro-Iranian government cyber intrusions have increases the attack surface by incorporating email,
relied on social engineering as a component of the cyberattack social media, and chat messengers as attack vectors.
life cycle, whether executed through spearphishing attacks Malicious documents and applications will continue to be
or more directly through one-to-one engagements. Iranian disseminated via one-to-one sock puppet engagements
operators have targeted members of foreign governments, with their targets.
militaries, businesses, and political dissidents. Their operations
• Various reported Iranian social engineering attacks share
appear to use many of the studied “principles of influence” and
approaches, including recruitment offers, offers to solicit
overlap with human intelligence (HUMINT) recruitment practices,
targets for journalistic purposes or political analysis,
both of which influence social engineering methodologies.
romantic engagements, and supposed anti-government
Research on the Iranian government’s strategic and tactical activism.
approaches to the offensive and defensive “Soft War” also
• The use of foreign languages and knowledge of foreign
suggests that social engineering is an indispensable element of
societies and cultures will continue to play a central role
the government’s cyber capabilities, which it has relied on for
in targeted social engineering attacks. Iranian APTs are
at least a decade. Tehran views the ability for a foreign power
improving their command of major languages such as
to incite domestic upheaval as being as dangerous as a military
English and major European, Middle Eastern, and South
attack on its territory. Equally so, the ability to foment social
Asian languages.
unrest internationally is a capability at its disposal to attack
its perceived enemies. Understanding and dissecting foreign
societies, languages, cultures, and political systems has enabled
Tehran to leverage social engineering in ways comparable to
Russian threat activity groups.

Large-scale social engineering campaigns have predominantly

been executed by APT35, Tortoiseshell, and APT34, and their
associated sub-groups. While their operations do not diminish
those run by other advanced persistent threat groups (APTs),
these 3 Iran-nexus groups have depicted substantial tradecraft
overlaps in how they target their victims. These include the
use of charismatic sock puppets, the lure of prospective job
opportunities, solicitation by journalists, and masquerading as
think tank experts seeking opinions. These are just some of the
personas which these 3 Iranian APTs have continued to use
since the first major disclosure on Iranian social engineering —
Operation Newscaster — was publicly reported in 2014.

1 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Background Open source analysis has referred to Tehran’s strategic

threat perceptions within this space. As early as 2010, Iran
The growth of Iranian social engineering can be traced to viewed social media platforms as “elements of a cyber warfare
Iranian hacker forums, with many including sub-threads on the threat … particularly in the way rumors are spread online to
techniques necessary to target unsuspecting victims. Some ‘stir up’ discord within Iran”, following its own threats to the
of the earliest examples include the “Simorgh Security Team”, establishment that arose from the 2009 Green Movement. Iran
among the first to differentiate social engineering from other has proven to strategically leverage the same threat calculus,
hacking disciplines.1 Members of that group claimed that a social along with the other Big Four (Russia, China, and to a lesser
engineer must be persuasive, articulate, and possess strong extent North Korea) adversarial nations, against its adversaries,
analytical and intelligence gathering skills. including the US government.
Social engineering, a component of Iran’s defensive and Operationally, Iranian social engineering depicts a strong
offensive cyber capabilities embedded in pro-government Iranian emphasis on the use of foreign languages and cultures to
cyber doctrine, can be traced to institutionalized ideologies execute defensive and offensive campaigns against domestic
such as the “Soft War” (‫)جنگ نرم‬. The concept of Soft War was foes, such as anti-revolutionary fronts like the Mojahedeen Khalq
established as far back as 2010 and aims to counter subversion, Organization (MEK) and the National Council of Resistance of Iran
or political, religious, economic, and cultural ideals that may lead (NCRI), and nations which Iran perceives to be its adversaries: the
to the destabilization and fall of the Islamic Republic. These goals US, the UK, Israel, and Saudi Arabia. Pro-government operators
are likely achieved by networks of trusted experts rooted deeply understand adversarial societies and cultures well enough to
in Iran’s military and intelligence organizations. mimic them; this capability manifests, whether successful or not,
For example, the commander of the Islamic Revolutionary in information operations, psyops, and cyber intrusions.
Guard Corps (IRGC) in Kerman province (Sarullah Corps)
recognized the role of repatriating Iranian “elites” in countering
Threat Analysis
enemy influence and disinformation campaigns, 2 declaring
them key in the struggle against “the disproportionate soft The cases below outline several successful and unsuccessful
war and psychological operations [PSYOPS] of the enemy”. social engineering attacks by Iranian operatives. Some cases are
In this context, elites refer to highly educated Iranians close associated with cyber intrusion or credential phishing operations,
to the regime who have been directed to seek education and others with influence and psychological operations. Most cases
employment opportunities abroad. were reported by cyber research groups such as ClearSky,
CitizenLab, and Proofpoint. In some cases, anti-government
The IRGC and its auxiliary force the Basij, as well as the
reporting provided additional examples of social engineering
Ministry of Intelligence and Security (MOIS), have cemented their
tradecraft.
role in the field to counter the Soft War since 2010; they have
established multiple operational bases that, at least in name, are The reporting is also marked by the different naming
dedicated to the Soft War, such as the Baqiatallah al-Azam Social conventions (cryptonyms) associated with Iranian APT groups.
and Cultural Base (‫)قرارگاه بقیةاهلل االعظم‬. The Baqiatallah base is These predominantly involve APT35, Tortoiseshell, and APT34,
currently headed by the former commander of the IRGC, General which are tracked by multiple industry vendors with different
Mohammad Ali Jafari, who on this matter claimed in November cryptonyms. These APTs also have their own subgroups, such
2021 that the Islamic Republic’s enemies aimed to destroy it and as UNC788 and LYCEUM, which at times complicates attribution
that “soft, cultural, and media wars” were harder to combat than analysis attempts. To simplify associations, we have included a
a kinetic war. 3 deconfliction table below.

As part of this research, we selected these 3 Iranian APT

groups due to various social engineering cases that have been
publicly reported and their ability to provide insight on attack
tradecraft.

1 http[:]//www.webhostingtalk[.]ir/showthread.php?t=65453
2 https[:]//www.tasnimnews[.]com/fa/news/1400/08/27/2610378/
3 https[:]//www.isna[.]ir/news/1400081108669

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 2

CYBER THREAT ANALYSIS | IRAN

APT Industry Names

In lesser cases, challenging conventional thought or making
provocative and factually inaccurate statements is a reverse
Charming Kitten (CrowdStrike), Phosphorus
psychology trick to draw in and engage a target. For example,
APT35 (FireEye) (Microsoft), TA453 (Proofpoint), UNC788
(Mandiant/FireEye), ITG18 (IBM X-Force) Iranian APTs may impersonate a news reporter or claim to be an
expert from a reputable think tank. Under this guise, they may
Tortoiseshell Imperial Kitten (CrowdStrike), TA456
(Symantec) (Proofpoint), Curium (Microsoft) state something a target is likely to hold an opposing analytical
view on in the hope of eliciting a response from the target. As
Helix Kitten (CrowdStrike), Cobalt Gypsy
described by one reputed Iran analyst, this tactic was used in
APT34 (FireEye) (Secureworks), OilRig (PaloAlto), LYCEUM
(Secureworks) an attack which eventually aimed to have the target to proceed
Table 1: APT cryptonym deconfliction table (Source: Recorded Future)
to a fake login portal where their credentials would be stolen:

The Approach The email from a prominent Israeli think tank

offered some provocative suggestions on US
Extensive studies discuss social engineering tradecraft (that
policy towards China. “We must understand
is, persuasion principles) and its effects on human psychology.
that China is at war with the United States”,
The principles considered to be key drivers are “authority”,
it declared, citing the covid-19 pandemic as
“conformity”, “reciprocity”, “commitment”, “scarcity”, and “liking”
evidence. Its authors recommended that the
(flattery). Applications from such studies are readily visible in
Trump administration set up a team of “top
the Iranian social engineering approach. For example, in the
China experts” such as Stephen K. Bannon
study, commitment is defined as the “likelihood of sticking to
and former House speaker Newt Gingrich
a cause or idea after making a promise or adhesion … which
to confront “Red China” in the wake of the
increases the likelihood of compliance”. The process of liking
coronavirus crisis.
“puts that person in a favourable position” where “People tend
to like others who are similar in terms of interests, attitudes, and
When the target did not reply, the attackers chose to
beliefs”, while with reciprocity “the target feels indebted to the
escalate, first, by sending a new email depicting spoofed
requester for making a gesture and even the smallest gift puts
correspondence in Hebrew from an analyst the target held a
the requester in an advantageous position”.
professional working relationship with. When the target again
Iranian methodologies apply many of these techniques to did not respond, the attackers sent a new email impersonating
their attacks; some commence with a sense of authority and “a president of a prominent Washington think tank offering his
infuse reciprocity, while others use flattery to hook the target critiques of the paper”.
before escalating to a commitment phase. Notably, the process of
commitment is observed among all of the threat actor interactions
with victims discussed in this report, with benign documents
being shared to establish trust and initiate the psychological
mechanism of compliance with an attacker’s request. Flattery,
or the prospect of being courted by a charismatic persona or
high-profile recruiter, is another common tactic, technique, and
procedure (TTP) used by various Iranian APTs.

APT Common Techniques

Enlist
Soliciting
Immediate Greetings/ Engaging
Opinions Romantic
APT35 Action/ Seemingly Benign Professional
(Journalistic Engagement
Google Engagements Counterpart
or Other)
Recovery

Romantic Professional
Tortoiseshell
Engagement Opportunity

Romantic Professional
APT34 Online Survey
Engagement Opportunity

Unattributed Elicit Engaging as Professional Engaging as a

activity Assistance a Dissident Opportunity Political Activist
Table 2: Major characteristics of Iranian social engineering tradecraft (Source: Recorded Future)

3 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Figure 1: Operation Newscaster fake personas and their social media presence (Source: iSight)

The examples listed in this report also correlate to some Social Engineering Components
publicized HUMINT principles and agent recruitment techniques.
While Iranian social engineering attacks vary between
Following the MICE or RASCLS frameworks, the use of financial
groups, and many use open source or bespoke malware, some
rewards, or surreptitiously stimulating the target’s ego, have
observable traits remain constant. The characteristics of Iranian
proven to be traits that many Iranian social engineering attacks
operations focus on the theft of credentials, delivery of malicious
have adopted. The comparative study also suggests that target
programs, or delivery of fake information as part of broader
manipulation reportedly depends on the “principles of influence
influence operations.
and persuasion and they [recruitment case officers] have learned
how to manipulate without appearing to be manipulative”. A direct
Phishing for Credential Theft
example of this is the case of Mona Rahman from the Endless
Mayfly campaign, where the operators attempted to piggyback Credential theft is among the most prevalent and consistent
on negative Saudi sentiment to recruit a social media audience elements of Iranian social engineering operations. For example,
to a physical protest. the operators associated with Charming Kitten develop extensive
infrastructure networks to enable authentication-themed
credential theft activity. These domains mimic popular services
such as Google, Hotmail, and Yahoo, as well as countless
spoofed login portals associated with information technology
(IT) and high-tech groups, telecommunications providers and
internet service providers (ISPs), private business, and public
offices associated with multiple governments.

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 4

CYBER THREAT ANALYSIS | IRAN

The authentication-themed domains discovered by Insikt Charismatic Personas

Group replicate much of the known tradecraft used by Charming
The use of charismatic personas has been a formative
Kitten throughout 2021. Similar to the previous examples, the
characteristic of Iranian social engineering campaigns. Almost
operators predominantly register domains using the .site, .online,
every case discussed in this report refers to at least one
.top, .mobi, .network, and .info Top Level Domains (TLDs). The
fabricated profile used to target unsuspecting victims. In some
domains investigated are predominantly registered using the
cases, the profiles were so successful (see Mia Ash) that a
OnlineNIC or Namecheap service. Furthermore, in continuation
victim, potentially acting under the false illusion of a romantic
with its known TTPs, Insikt Group research revealed a continued
engagement, provided their personal details to register domains
reliance on OVH and Hetzner GmbH hosting providers.
used by the threat actor.

Strategic Web Compromise

Social Engineering Campaigns
In 2021, at least one Iranian social engineering campaign
was marked by strategic web compromise (SWC) activity to lead Phosphorus
intrusion operations against their victims. The group responsible
On November 16, 2021, Microsoft’s Threat Intelligence Center
(see the TA453 campaign below) compromised a legitimate
(MSTIC) outlined its observations of Iranian threat actor activity
website to steal credentials from targets.
without giving specific operational examples. Prime among the
groups MSTIC observed were Phosphorus and Curium. MSTIC
Malicious Applications
reported that Phosphorus was increasingly devoting more
Malicious applications form a component of the social time to engage with its victims by sending benign questions
engineering threat. Industry research has reported throughout and engaging in several “back-and-forth conversations” before
2021 that a malicious application they dubbed LittleLooter was sending an “interview request” with links masquerading as Google
used for attack operations. Another sample was detected and Meeting invites. Insikt Group has identified similar examples that
reported by Google’s Threat Analysis Group in October 2021. focused on the use of the IMO chat service (Figure 3).
The applications are used to target victims from various sectors
MSTIC analysis revealed that Phosphorus operators have
inside and outside Iran. These applications are delivered to
become more aggressive with their targets, “almost demanding
victims via social engineering attacks, sometimes involving the
a response”. On November 20 and 24, 2021, threat actors
operators directly engaging with victims.
impersonated a well-known New York Times Bureau Chief
Thomas Erdbrink, who has covered Iran, in an attempt to target a
Malicious Documents
dissident activist, Mahsa Alimardani (Figure 3). While the MSTIC
Almost every major social engineering campaign in this disclosure is not likely related to the Erdbrink impersonation
report suggests that highly targeted operations revolve around attempt, it highlights the group’s ongoing attempts to target
disseminating malicious documents to enable intrusions. The its victims notwithstanding public disclosures against it.
threat actors have used both open source and bespoke malware, Additionally, impersonating journalists is a well-reported tactic
such as PupyRAT and LEMPO (LIDERC), respectively, to launch used by the operators associated with the Iran-nexus group
attacks. (additional evidence in Appendix).

Fake News Outlets and Journalists

Since the discovery of the Newscaster network, Iranian
social engineering activities have revolved around the use
of journalistic personas, malicious fake news websites (see
APT35 below), or the dissemination of disinformation to trick or
manipulate targets (see Influence Operations below). As noted
in this report, Iranian operators have been identified on various
occasions assuming the personas of journalists or activists when
conducting intrusion or influence operations against targets.
Iranian influence operations have similarly been tracked and
disrupted by industry researchers, social media organizations,
and the US government.

5 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

login page for IMO chat video (Source: URLScan)

According to MSTIC, Curium, which highly likely overlaps

with Tortoiseshell, uses more long-term tradecraft. Curium
engages via social media or professional networking accounts,
and will exchange multiple benign files with the victim prior to
sending a malicious document. The act of exchanging files and
visual content is, according to MSTIC, a process of lowering the
victim’s guard. Additional information and a well-known case are
cited in the coverage of TA456 below. Again, throughout many
of the reported social engineering examples, Iranian operators
regularly interact with their victims. For strategic, long-term
targets, groups like Curium and APT34 have proven to attempt
to establish trust and multiple attack vectors to ensure access
to their victim.

TA453
The threat actor tracked by Proofpoint, which it classifies as
TA453, was highly active throughout 2020 and 2021. The group
Figure 2: Typical social-engineering example of an email-led interview request (Source: social
media) released 2 reports on their attempts to social engineer research
professionals in the US, UK, and Israel during the reporting time
A day after the MSTIC disclosure, the advocacy group frame. Between December 2020 and March 2021, the group was
United Against Nuclear Iran (UANI) claimed cyber operators detected launching spearphishing attacks against senior US and
associated with the Iran-nexus group targeted its organization. Israeli researchers associated with the medical sciences sector
It specifically claimed that “its leadership and members of its in a campaign dubbed BadBlood. More specifically, the victims
Advisory Board’’ were targeted by the group by procuring “data of the campaign worked in genetic, neurological, and oncological
outside of the public realm, [and] impersonated our leadership research. No live engagements with victims were reported;
in communications with former senior officials of the US however, Proofpoint evidence suggests the operators spoofed
government, and attempted to harvest Gmail credentials”. The the persona of an Israeli physicist and used that as a front to
impersonation of stakeholders is, as noted throughout many of target at least 25 other senior researchers in the US and Israel.
the cases associated with the APT, a predominant characteristic
of the APT group. The lure used — a report on Israel’s nuclear capabilities — was
benign and unrelated to the medical sciences sector. Proofpoint
claimed the operators used known spearphishing techniques,
such as sending emails with the purported assessment on Israel’s
nuclear capabilities attached to them, to steal the victim’s email
credentials. It is unknown what follow-on activity transpired
after successful credential theft or whether the end goal was
to penetrate the medical sector or use their access to victim
accounts to target other members of their networks beyond
medical research.

Figure 3: URLScan of a suspected Charming Kitten-linked domain identified by Insikt Group led to a

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 6

CYBER THREAT ANALYSIS | IRAN

TA453 was detected again targeting senior researchers Flores”. The targets were US defense contractors operating
throughout 2021 in an operation dubbed SpoofedScholars. in the Middle East and subcontractors associated with larger
As part of this campaign, the threat actors masqueraded as defense companies. Facebook’s report highlighted the nature of
scholars from the University of London’s School of Oriental and the likely connected broader campaign, which involved different
African Studies (SOAS). The fake personas targeted experts in accounts posing as “recruiters and employees of defense and
foreign policy, journalism, and academia that focused on Middle aerospace companies from the countries their targets were
East politics. The effort was reported as an attempt to garner in...Other personas claimed to work in hospitality, medicine,
strategic insight on the possible effects of future relations vis-a- journalism, NGOs and airlines”.
vis Tehran. This effort by TA453 operatives revealed that it was
driven to establish extensive relations with targets, communicate The persona is categorized as a traditional “honey trap”
with them, and then drive them to a conference registration link operation, where charisma and an attractive image are used to
hosted on a compromised website. The compromised website entice unsuspecting targets. It is reported that honey traps are
belonged to SOAS Radio, which likely contributed to appearing a TTP historically used by Iranian threat actor groups to target
as a legitimate action. enterprises.

Honey traps are a historically common TTP used by Iranian

threat actor groups to target enterprises.

The fake profile identified by Proofpoint is likely to have

been active for at least 2 years, established in late May 2018.
At least 1 victim of the “Marcy” honey trap had been in direct
communication with the fake profile since November 2020;
however, they officially became Facebook “friends” in 2019,
which reveals the methodical and long-term strategic approach
TA456 operators adopted to engage with high-value targets.

Figure 5: The fake profile used to target US defense contractors (Source: Proofpoint)

Marcy eventually also used a fake Gmail account associated

Figure 4: A fake invite sent to a victim of Operation SpoofedScholars (Source: Proofpoint)
with the front to deliver malware, known as LEMPO (LIDERC).
According to the research, private and corporate accounts were
TA456 affected by TA456’s operation.
In late July 2021, Proofpoint disclosed a campaign on TA456
called “I Knew You Were Trouble”. The campaign reported
by Proofpoint also overlapped with Facebook’s own action,
reported in mid-July 2021, against this threat actor group. The
social engineering component is reported to have involved the
creation of a fictitious social media persona, “Marcella (Marcy)

7 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Throughout 2021, social engineering attacks emanating

from Charming Kitten operations employed much of their known
tradecraft. This included the use of phishing to enable credential
theft operations and invitations to conduct interviews, as noted
earlier (for example, IMO chat). A recurrent aspect of their
credential theft activity was the use of SMS for smishing attacks,
using traditional Google security or Google recovery messages.
This activity likely took place in parallel with the establishment
of attacker-controlled infrastructure.

In 2020, ClearSky Security released its third edition of

“The Kittens Are Back in Town”, a report detailing persistent
attempts by Charming Kitten operators to engage directly with
victims. The objective of the engagement was to drive victims to
encrypted chat platforms, such as WhatsApp, and onward to join
Figure 6: Example of email used to deliver malware to the victim (Source: Proofpoint) fake video conferences where, presumably, the victims would fall
further down the chain of compromise. All of the detected cases
Charming Kitten began with spearphishing emails; the attackers developed fake
Charming Kitten is one of the most widely reported Iranian personas that spoofed real journalists and fake email accounts
threat activity groups with a strong focus on social engineering to enable the ruse. The group has spoofed major news entities,
to target its victims. Above we covered its overlapping campaign including the New York Times, the Wall Street Journal, CNN, and
tracked as TA453, while below we highlight the activities tied to Deutsche Welle.
the group from other vendors.

Figure 7: Example of smishing attack (Left) and Google Security message (Right) by Charming Kitten (Source: Certfa Lab)

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 8

CYBER THREAT ANALYSIS | IRAN

Figure 8: The attackers brazenly attempt a call as part of their first interaction with the victim (Source: ClearSky)

Figures 9 and 10 depict a conversation between the attackers APT35

and a victim, revealing persistent attempts to engage, even when
In February 2019, the US Department of Justice (DoJ)
victims did not respond to the attackers’ lure.
unsealed an indictment against a former US Air Force Intelligence
Beyond persistence and a sense of authority (“I am Yalda … Officer, Monica Elfriede Witt, and APT35. Witt, after defecting
from Deutsche Welle”) the attackers employed other techniques to Iran, cooperated with its intelligence and cyber operatives
to strengthen their relationship with victims. This included to supply classified and compromising information against US
flattery (“we invited you as a special speaker”), and a form of intelligence agents. Four years before the indictment, members of
reciprocity (the sign-up walkthrough) which potentially made APT35 established a fake Facebook profile under the name “Bella
the target feel indebted to the attacker for “assistance” offered. Wood” to enable the operation. The operators used the Facebook
As noted in the Mitigation section, multiple social engineering account to send a friend request to a US intelligence officer
techniques depend on human psychology to aid the attacker deployed to Afghanistan for a US Central Command (CENTCOM)
through their plot. joint intelligence unit. APT35 operators also used an email, bella.
wood87@yahoo[.]com, to contact the same intelligence officer.
The following is an account of their engagements:

9 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Figure 9: The correspondence shows the attacker’s persistence toward the victim (Source: ClearSky)

Hello my dear ... invitation card sent to you APT34/COBALT GYPSY

by email I got this pretty card accept me as a
kind friend.
Hard Pass and Rebecca Watts
I’ll send you a file including my photos but u The Hard Pass campaign was reported by FireEye in July
should deactivate your anti virus to open it 2019 and captured Iran-nexus operatives highly likely associated
because i designed my photos with a photo
with APT34 that impersonated a member of Cambridge
album software, I hope you enjoy the photos
i designed for the new year, they should be University called “Rebecca Watts”. The operators behind Watts
opened in your computer honey. developed and used a LinkedIn profile to engage professionals
in the utilities, government, and oil and gas sectors.
APT35 continued to execute social engineering attacks
as part of the same operation against US intelligence officers. The operators used the profile first to seek candidate
Presumably due to the information they had collected as part of resumes and then used the established trust to send back
their cooperation with Witt, they created a fake Facebook profile an Excel spreadsheet with an embedded exploit. Notably, the
that impersonated another US intelligence officer. According to language used by the operators also claimed that Watts was
the indictment, the attackers also used information and pictures rushed when sending the request to access the spreadsheet,
from the officer’s real account to enable their operation. The which could excuse the allegedly native English speaker from
Iran-nexus group continued their activities, using the fake profile making grammatical errors. Under normal circumstances, such
to engage with another 2 US intelligence officers, including grammatical errors as shown in Figure 11 may raise suspicion from
attempts to disseminate malware via Facebook and penetrating a native English speaker. The group used the image of Cambridge
a closed Facebook group of other US intelligence officers. APT35 University with a top-level domain that mimicked the institution’s
operatives also led a watering-hole attack against US officers domain-naming convention. With little to no knowledge of the
using a fake news website and devised spoofed domains used institution’s real domain structure, an unsuspecting victim would
to launch credential theft spearphishing attacks. not have easily identified the ruse.

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 10

CYBER THREAT ANALYSIS | IRAN

Figure 10: The “Hard Pass” campaign revolved around the use of a fake recruiter profile (Source:
FireEye)
Figure 11: A captured screenshot of the fake LinkedIn profile of Mia Ash (Source: Secureworks)
The use of LinkedIn mimics APT34’s use of social media to
deliver malicious documents to unsuspecting victims and is likely According to Secureworks, “Victim A”, a target of the Mia
part of the group’s attempts to evade security technologies to Ash campaign with approximately 10 years of experience in the
block malicious email traffic. oil and gas, aviation, and telecommunications sectors, possibly
shared his personal information to register domains for the
“Mia Ash” attackers. Secureworks provided the following hypotheses to
explain the act:
In July 2017, SecureWorks reported one of the first known
public cases of a long-term social engineering operation • Victim A registered a domain for Mia Ash, and the threat
associated with APT34/Cobalt Gypsy. The case focused on actor reciprocated by registering a domain for Victim A
the use of a traditional honey trap sock puppet to deceive an to keep Victim A as an active, unknown participant in the
employee of a targeted company. Mia Ash reportedly contacted threat actor’s operations.
the target via LinkedIn, claiming she was “part of an exercise
• The threat actor compromised Victim A’s accounts.
to reach out to people around the world”. The operators behind
Ash used the receptiveness of the victim to establish a virtual • Victim A registered both domains as a romantic or
relationship, exchanging professional and personal information, friendly gesture.
a technique also used at great lengths in the Marcy Flores • Domains were registered using fraudulent information.
campaign outlined previously. The relationship spread to social • Victim A works for the threat actor.
media through a “friendship” on Facebook but also continued via
email and via WhatsApp. Two months after the initial exchange,
a PupyRAT-laden Excel document was sent to the personal email
of the victim.

Figure 12: A timeline for the Mia Ash operation (Source: Secureworks)

11 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Social Engineering and Dissidents

The lesser-known case of Asal Kaviani ( ‫)عسل کاویانی‬,
Targeting Dissidents and the Diaspora reported by a Persian-language anti-government source, also
reveals the Iranian system’s ability to set up ruses against its
The Islamic Republic of Iran uses social engineering to target targets. According to the dissident report, Kaviani contacted
entities and individuals they perceive to be threats or enemies of the anti-government source, revealing she was the sister of
the state. In some instances, their operations have proven to be an IRGC cyber engineer. In exchange for a government-issued
successful, brazen, and apparently meticulously planned. Some laptop presumably full of information regarding the IRGC’s cyber
reported cases involve targeting dissidents living in the United programs, Kaviani wanted the source to help her brother escape
States, with plans of extracting them to Iran to face prosecution from the organization.
by the Islamic Republic, as noted most recently in a July 2021
unsealed indictment by the US Department of Justice. The case
details revealed Iranian intelligence services established a ruse
that concealed their motives and hired a private intelligence
group in North America to conduct surveillance against a
journalist, human rights activist, and author living in Brooklyn,
New York. The case revealed that MOIS agents, or individuals
associated with the organization, claimed to represent a private
party in Dubai and that the targets of the intelligence operations
had stolen or owed money to the client in the UAE. As part of
the plot, MOIS agents provided contact information, including
a telephone number with a UAE country code, to convince the
private investigator that the request was coming from the UAE.
The following is an excerpt from the indictment, which cites the
statement from the attackers:

I am contacting you on behalf of a client

looking [for] a missing person from Dubai,
Figure 13: Iranian dissident report highlights social engineering attack by Iranian government. For a
UAE who has fled to avoid debt repayment. full translation, see Appendix (Source: Iranian dissident reporting)

We require your services to conduct a

The dissident organization claimed that while highly
surveillance on potential address of missing
suspicious of Kaviani, they entertained the approach for 3
person… Will need high quality pictures/video
months to gather more information. Kaviani proposed a physical
of persons living in the address and cars they
exchange with the dissident organization to provide the laptop
drive.
as proof; the encounter was supposed to take place at a well-
Other major cases involve using the profile of journalists known metro stop in Tehran. The dissident organization claimed
to target diaspora Iranians involved in various sectors, or to that the exchange was aborted due to an increased chance that
target dissident activists, such as Ruhollah Zam. Zam, the former the meeting was in fact a counterintelligence sting operation. No
leader of the dissident news group AmadNews, was tricked into additional information was supplied to verify the attempt, except
leaving France, where he had asylum, in October 2019 to travel for screenshots of emails allegedly written by Kaviani (Figure 14).
to Iraq. Reportedly, the IRGC’s Intelligence Organization (IRGC-
If in fact a targeted operation, the incident reveals the group
IO) took responsibility for the operation. Open source reporting
was acutely aware of the dissident source’s efforts to report
suggests he was duped into believing he was to interview Iraq’s
on the activities of the IRGC, its personnel, and its cyber wing,
most senior Shia leader, Ayatollah Ali Sistani. Supposedly, the
the IRGC-Electronic Warfare and Cyber Defense Organization
interview was a prelude to the establishment of a new television
(IRGC-EWCD).
channel sponsored by an “individual claiming to be an Iranian
businessman”. Upon his arrival, he was captured by pro-regime
elements that transferred him to Iranian custody. Zam was
executed by the Islamic Republic in December 2020.

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 12

CYBER THREAT ANALYSIS | IRAN

Social Engineering and Influence Operations Anti-Dissident Operations

Social engineering operations, albeit not traditional ones, In December 2020, Treadstone71 issued a report on a large-
have also started to become increasingly intertwined with scale coordinated social media operation run by the IRGC, the
influence operations in what Iranian strategists would term the Basij, and MOIS to penetrate and influence Farsi-language
offensive Soft War. The identified incidents suggest Iranian threataudiences that converged around a real-life conference. The
actors operating for entities linked to APTs are adopting fake operation targeted entities affiliated with the NCRI and MEK
personas and attempting to use them to influence behaviors. and involved members of these agencies masquerading as
In at least one related case, the dissemination of malware also regime opponents. Their objective was to blend in as members
potentially occurred when a sock puppet account was linked to of opposition movements or general diaspora Iranians and
Android and Windows-based malware. manipulate and misinform online discussions. From there, they
used their position apparently to support general, high-level
Proud Boys anti-government statements but in actuality to target anti-
government movements and personalities such as the MEK
On November 18, 2021, the US Department of Justice, in
and NCRI. This aspect of their tradecraft was likely devised
coordination with the US Department of the Treasury, unsealed
to prevent increased skepticism and suspicion of the target
an indictment and designated for sanctions Iranian companies
audiences versus the cyber operator’s sock puppet.
and nationals associated with cyber intrusions and US elections
interference, respectively. The Department of Justice specifically
Endless Mayfly
indicted Seyyed Mohammad Hosein Musa Kazemi and Sajjad
Kashian, both members of Iranian entity Eeleyanet Gostar, Another efficacious example of Iran’s social engineering
now known as Emennet Pasargad, for a “targeted, coordinated capabilities relating to information operations is represented
campaign to erode confidence in the integrity of the US electoral in the Endless Mayfly campaign. The campaign was disclosed
system and to sow discord among Americans”. The operation by CitizenLab in May 2019 and represents one of the more
was devised by those indicted and impersonated the far-right aggressive publicly known campaigns run by Iranian operatives.
American extremist group the Proud Boys. In this campaign, the use of fake personas, fake news sites, and
potentially malware converged for disinformation and intrusion
activities. Among the many fake profiles, one was identified
of “Mona A. Rahman”, a self-proclaimed political analyst and
writer. The profile held anti-Saudi Arabian government views and
covered the murder of Jamal Khashoggi. The profile engaged
with real-life activists to incite physical protests. In the latter
stages of the Endless Mayfly campaign, the Mona Rahman profile
also directly engaged with activists and critics.
Figure 14: Proud Boys email sent to Democratic voters (Source: Pensacola News)

Figure 15: IRGC fake accounts masqueraded as political opposition (Source: Treadstone71)

13 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

The majority of the Endless Mayfly campaign focused on Operational/Tactical

influence activity and disinformation efforts, but a smaller
• Iranian operators have repeatedly used fake charismatic
component also revealed how a domain was linked to malware
profiles or those that impersonate recruitment offers
samples. The website associated with the domain, according to
to engage with victims. Treat all unrecognized social or
CitizenLab, “hosted inauthentic profiles and tweets for prominent
professional correspondence as suspicious.
figures… [including] spoofed tweets by Turkish Prime Minister
Recep Tayyip Erdoğan and Saudi Crown Prince Mohammed Bin • Attackers aim to drive victims to platforms where they
Salman”. At the time of writing, CitizenLab researchers could are empowered, via a malicious program or otherwise.
not confirm whether the identified malware was used to target Avoid unsolicited requests to establish communication
victims via the Endless Mayfly network. through additional methods, especially unapproved chat
or messaging applications.
Mitigations Against Social Engineering • “Cold-calling”, either via email or social media, is a
prime method Iranian social engineering operators use
Strategic to engage with victims. Be on the lookout for signs of
inauthentic or reused material, as the social engineer will
• Establish robust policies and carry out social engineering
attempt to emulate these common practices.
and anti-phishing awareness exercises to help detect
and prevent attacks. • Some reported cases of social engineering and
phishing aim to create a sense of fear or emergency
• Create testing environments to ensure the workforce is
(for example,“Google Security Team” messages). If you
certified to counter social engineering attacks.
receive any message that appears urgent, pause and
• Provide social media best practices awareness training to evaluate the situation before reacting.
help mitigate the possibility that employees inadvertently
• The use of SMS phishing has been associated with
release confidential information.
Iranian social engineering attacks.
• Ensure that effective two-factor authentication (2FA)
mechanisms are in place to help stop social engineering
attacks.

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 14

CYBER THREAT ANALYSIS | IRAN

Outlook Iranian operators are also expected to become more

competent in using foreign languages in social engineering
Since the first reports emerged in 2014, Iranian social
attacks. As depicted in the large-scale Proud Boy operation,
engineering campaigns have persisted and continued to innovate.
threat activity groups are ready to engage with large audiences,
While many of the early operations, such as Newscaster, were
even during periods of increased scrutiny. Their capabilities have
littered with rudimentary grammatical mistakes and weak
also spread well beyond the English language, as depicted in
operational security, these defects have disappeared. Those
various influence and cyberattack operations around the world
perpetrating the social engineering attacks are now executing
that incorporated Arabic, Spanish, French, Hebrew, and Turkish,
operations impersonating high-ranking think tank directors,
among others. This suggests that a supply of foreign-language
journalists, business officials, scientists, anti-government threat
capable or trained operatives is tasked with social engineering
actors, and even government officials. This characteristic of
operations.
their operations has not diverged extensively and is expected
to continue, as they mimic their targets or attempt to establish Open source reporting indicates that APT35 is more likely
relationships with them based on professional interests. to attempt to drive victims to engage with them in one-on-one
dialogues in the future. While Insikt Group cannot verify such
With time, the operators are likely to continue to improve their
assessments, industry reporting has supplied ample evidence of
approach and ability to target their victims. It is highly likely that
the group’s desire to engage with victims. Additionally, the use
these approaches will focus on tried and tested methods, such
of malicious software is also highly likely to continue to enable
as using a journalistic persona, soliciting interviews and analytic
this activity in the future, as the group and others like it attempt
opinions, and sharing reports with targets to enable credential
to hook their targets.
theft operations. Social engineering will also likely continue to
evolve as long-term operations as depicted by the TA456 “I Knew
You Were Trouble” campaign. With the growing role of social
media among younger generations, fake and imposter accounts
may even take on a more significant role and may even employ
deep fake technologies.

Although the adoption of new technologies such as deep

fakes is likely, threat actor operations may also be limited in
scope by these technologies. For example, it is unclear whether
APT groups will adopt “deep fakes” to facilitate intrusions or
only for influence operations, similar to the Proud Boys election
interference activity.

15 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS | IRAN

Appendix

Source: Certfa Lab

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 16

CYBER THREAT ANALYSIS | IRAN

Kaviani Email:

Hello,

I’m Asal, thank you for your good reporting. Unfortunately, my brother is a computer engineer working with the
sepah [IRGC], and I’m really upset about it because I hate them. I asked him many times to stop working with
them, but he says the pay is good. But in any way possible I would like his cooperation [with the IRGC] to stop.

Last time he was browsing your site he became very upset to see your site content.

I want to do whatever I can, but I care for my brother and I do not want his name ...

But the least I can do for you is to be able to talk about where he is and what he does, who he works with and
...

If I can help in any way just say it.

Thanks

asalkaviani1989@gmail[.]com

17 CTA-IR-2022-0330 Recorded Future ® | www.recordedfuture.com

 CYBER THREAT ANALYSIS

About Insikt Group®

Insikt Group is Recorded Future’s threat research division, comprising analysts and
security researchers with deep government, law enforcement, military, and intelligence
agency experience. Their mission is to produce intelligence on a range of cyber and
geopolitical threats that reduces risk for clients, enables tangible outcomes, and prevents
business disruption. Coverage areas include research on state-sponsored threat groups;
financially-motivated threat actors on the darknet and criminal underground; newly
emerging malware and attacker infrastructure; strategic geopolitics; and influence
operations.

About Recorded Future®

Recorded Future is the world’s largest intelligence company. The Recorded

Future Intelligence Platform provides the most complete coverage across adversaries,
infrastructure, and targets. By combining persistent and pervasive automated data
collection and analytics with human analysis, Recorded Future provides real-time visibility
into the vast digital landscape and empowers clients to take proactive action to disrupt
adversaries and keep their people, systems, and infrastructure safe. Headquartered in
Boston with offices and employees around the world, Recorded Future works with more
than 1,300 businesses and government organizations across 60 countries.

Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture.

www.recordedfuture.com | Recorded Future ® CTA-IR-2022-0330 18