Iranian threat groups intensify spear-phishing email operations in Middle East and Europe following Soleimani killing

Iran has not launched any cyber attack in retaliation for the killing of Soleimani - yet

Iranian hackers are running spear-phishing email campaigns targeting government organisations in Turkey, Iraq and Jordan, and their activity has increased since the killing of General Soleimani.

Soleimani, the leader of the Iran's Quds Force, was killed on 2^nd January in Baghdad following US airstrikes.

While Soleimani's death resulted in increased tensions between the US and Iran, no major cyber attack has yet been launched from Iran in retaliation. The researchers believe that Iranian threat groups are currently focusing on their long-running cyber espionage activities in efforts to gather valuable intelligence from some specific countries.

According to SecureWorks' Counter Threat Unit, the recent spear-phishing email campaigns appear to be the work of Cobalt Ulster, an Iranian advanced persistence threat (APT) group known for targeting European, Middle Eastern, and North American nations in the past.

The group, which is also known as MuddyWater, Seedworm, Static Kitten, and TEMP.Zagros, is sending potential targets spear-phishing emails containing .zip archives with malicious Microsoft Excel file.

When opened, the malicious file delivers a remote-access Trojan, dubbed ForeLord, to the target system, thereby opening the door to the hackers for further malicious activity.

Following intrusion, the group deploys additional malware, such as a variant of the Mimikatz malware, in efforts to steal credentials and other information from target machines.

In another infection chain, threat actors were observed carrying out multiple rounds of spear-phishing with malicious attachments to gain initial access. Some messages also contained a link to a compromised website, and passed the target organisation's name as a parameter in the URL.

The researchers first uncovered the spear-phishing emails as part of a campaign running between mid-2019 and mid-January 2020, targeting governmental entities in Turkey, Iraq, Jordan, as well as some global organisations in Azerbaijan and Georgia.

Many of the cyber attacks that Cobalt Ulster launched in past years had started with the collection of credentials via phishing, social engineering, brute-force attacks, password spraying, and exploitation of publicly available systems, the researchers warned.

"From a threat management and risk assessment perspective, CTU researchers advise organizations not to conflate ongoing espionage operations with a retaliatory response," they stated.

"However, continually leveraging threat intelligence to assess and improve controls will help network defenders secure their environments against malicious activity regardless of intent."