Frequently Asked Questions About Iranian Cyber Operations
Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists.
This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.
FAQ
Has there been an increase in threat activity related to Iran-based threat actors?
While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks.
Which threat actors are believed to be Iran-based or linked to the Iranian government?
In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.
| Threat actor | Activity |
|---|---|
| HomeLand Justice | Carried out destructive attacks against the Government of Albania in 2022, utilizing ransomware and disk wiping malware. |
Pioneer Kitten Fox Kitten UNC757 Parisite RUBIDIUM Lemon Sandstorm Br0k3r xplfinder | Collaborates with ransomware groups in order to monetize access to victim networks. Known to exploit common and well-known vulnerabilities in internet-facing devices and critical infrastructure. |
| CyberAv3ngers | Attacked and defaced OT devices, including Unitronics PLC devices commonly used in water and wastewater systems. |
APT35 CALANQUE Charming Kitten CharmingCypress ITG18 Mint Sandstorm (formerly Phosphorus) Newscaster TA453 Yellow Garuda Educated Manticore APT42* Agent Serpens UNC788 | Social engineering campaigns targeting journalists and internet-facing applications *APT42 is a subcluster of APT35 and also poses as journalists in order to harvest credentials. Some aliases overlap between these groups. |
APT34 OilRig Helix Kitten Hazel Sandstorm Earth Simnavaz | Exploits internet-facing servers and uses supply chain attacks to target finance, energy, chemical, telecommunications and government sectors. |
MuddyWater Earth Vetala MERCURY Static Kitten Seedworm TEMP.Zagros | Uses remote monitoring and management tools to target telecom companies in the Middle East and North Africa, Europe and North America. |
Agrius Pink Sandstorm | Targets Israeli companies with wiper malware disguised as ransomware |
| Imperial Kitten | An APT group that has targeted Israeli transportation/logistics and technology sectors |
Banished Kitten Dune | Known as "Faketivist" for its attempts to masquerade as hacktivist groups due to their adoption of TTPs used by hacktivist groups |
What are the vulnerabilities that have been targeted by Iranian threat actors?
The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.
| CVE | Description | CVSSv3 Score | VPR |
|---|---|---|---|
| CVE-2017-11774 | Microsoft Outlook Security Feature Bypass Vulnerability | 7.8 | 8.9 |
| CVE-2018-13379 | Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1] | 9.8 | 8.9 |
| CVE-2019-11510 | Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4] | 10.0 | 8.1 |
| CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9] | 9.8 | 8.9 |
| CVE-2019-5591 | Fortinet FortiOS Default Configuration [1] [2] | 6.5 | 6.6 |
| CVE-2020-12812 | Fortinet FortiOS Improper Authentication [1] [2] | 9.8 | 8.9 |
| CVE-2020-1472 | Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5] | 10 | 10 |
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3] | 6.6 | 6.6 |
| CVE-2021-34473 | Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3] | 9.8 | 9.2 |
| CVE-2021-34523 | Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3] | 9.0 | 9.6 |
| CVE-2021-44228 | Apache Log4j RCE (Log4Shell) [1] [2] [3] [4] | 10 | 10 |
| CVE-2021-45046 | Apache Log4j2 Denial of Service (DoS) and RCE [1] [2] | 9.0 | 8.1 |
| CVE-2021-45105 | Apache Log4j2 DoS [1] [2] | 5.9 | 6.6 |
| CVE-2022-1388 | F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2022-26134 | Atlassian Confluence Server and Data Center OGNL Injection [1] [2] | 9.8 | 9.6 |
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3] | 7.8 | 9.8 |
| CVE-2022-42475 | Fortinet ForiOS Heap-Based Buffer Overflow [1] [2] | 9.8 | 8.9 |
| CVE-2022-47966 | Zoho ManageEngine RCE [1] | 9.8 | 9.7 |
| CVE-2022-47986 | IBM Aspera Faspex RCE | 9.8 | 9.0 |
| CVE-2023-27350 | PaperCut NG Authentication Bypass | 9.8 | 9.0 |
| CVE-2023-3519 | Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2] | 9.8 | 9.0 |
| CVE-2023-38831 | RARLAB WinRAR Arbitrary Code Execution | 7.8 | 9.7 |
| CVE-2023-46805 | Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2] | 8.2 | 6.7 |
| CVE-2023-6448 | Unitronics VisiLogic Default Administrative Password | 9.8 | 7.4 |
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3] | 9.1 | 9.8 |
| CVE-2024-24919 | Check Point Security Gateway Information Disclosure Vulnerability [1] [2] | 8.6 | 7.1 |
| CVE-2024-30088 | Windows Kernel Elevation of Privilege Vulnerability [1] [2] | 7.0 | 9.6 |
| CVE-2024-3400 | Palo Alto PAN-OS Command Injection Vulnerability [1] [2] | 10.0 | 10.0 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time.
Has Tenable released any product coverage for these vulnerabilities?
The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:
- CVE-2017-11774
- CVE-2018-13379
- CVE-2019-0604
- CVE-2019-11510
- CVE-2019-19781
- CVE-2019-5591
- CVE-2020-12812
- CVE-2020-1472
- CVE-2021-31207
- CVE-2021-34473
- CVE-2021-34523
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- CVE-2022-1388
- CVE-2022-26134
- CVE-2022-30190
- CVE-2022-42475
- CVE-2022-47966
- CVE-2022-47986
- CVE-2023-27350
- CVE-2023-3519
- CVE-2023-38831
- CVE-2023-46805
- CVE-2023-6448
- CVE-2024-21887
- CVE-2024-24919
- CVE-2024-30088
- CVE-2024-3400
These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors.
Tenable attack path techniques
| MITRE ATT&CK ID | Description | Tenable attack path techniques |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | T1003.001_Windows |
| T1012 | Query Registry | T1012_Windows |
| T1021.001 | Remote Services: Remote Desktop Protocol | T1021.001_Windows |
| T1047 | Windows Management Instrumentation | T1047_Windows |
| T1053.005 | Scheduled Task/Job: Scheduled Task | T1053.005_Windows |
| T1059.001 | Command and Scripting Interpreter: PowerShell | T1059.001_Windows |
| T1068 | Exploitation for Privilege Escalation | T1068_Windows |
| T1069.002 | Permission Groups Discovery: Domain Groups | T1069.002_Windows |
| T1069.003 | Permission Groups Discovery: Cloud Groups | |
| T1078.001 | Valid Accounts: Default Accounts | T1078.001_ICS |
| T1078.002 | Valid Accounts: Domain Accounts | T1078.002_Windows |
| T1078.003 | Valid Accounts: Local Accounts | T1078.003_Windows |
| T1078.004 | Valid Accounts: Cloud Accounts | T1078.004_Azure |
| T1082 | System Information Discovery | T1082 |
| T1098 | Account Manipulation | |
| T1133 | External Remote Services | |
| T1190 | Exploit Public-Facing Application | T1190_Aws |
| T1219 | Remote Access Software | T1219_Windows |
| T1482 | Domain Trust Discovery | T1482_Windows |
| T1484.002 | Domain or Tenant Policy Modification: Trust Modification | T1484.002_Azure |
| T1499 | Endpoint Denial of Service | T1499.004 |
| T1555 | Credentials from Password Stores | |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | T1558.003_Windows |
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | |
| T1068 | Exploitation for Privilege Escalation | I-SamNameImpersonation |
| T1078 | Valid Accounts | C-DANGEROUS-SENSITIVE-PRIVILEGES |
| T1078.001 | Valid Accounts: Default Accounts | |
| T1098 | Account Manipulation | C-SENSITIVE-CERTIFICATES-ON-USER CONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATION ENTRA-SECURITY-DEFAULTS-NOT-ENABLED LEGACY-AUTHENTICATION-NOT-BLOCKED MFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLE MFA-NOT-REQUIRED-FOR-RISKY-SIGN-INS MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT MISSING-MFA-FOR-PRIVILEGED-ACCOUNT SHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONS |
| T1110 | Brute Force | |
| T1190 | Exploit Public-Facing Application | APPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION |
| T1589 | Gather Victim Identity Information | |
| T1556 | Modify Authentication Process | |
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Tenable Web App Scanning
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1190 | Exploit Public-Facing Application | T1190_WAS |
Tenable OT Security
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T0812 | Exploit Public-Facing Application | T0812_ICS |
What else should I do to remain secure?
Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend:
- Using strong passwords and enforcing a strong password policy
- Enabling multi-factor authentication (MFA)
- Changing default passwords, especially on OT hardware
- Patching vulnerabilities in assets exposed to the internet
- Identifying and prioritizing your most valuable assets for remediation
- Developing a remediation plan and continuing to test and improve it
Get more information
- Tenable Blog: Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack Risks
- Tenable Blog: AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
- Tenable Blog: AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
- Department of Homeland Security National Terrorism Advisory System Bulletin - June 22, 2025
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Research Special Operations
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Related articles
CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
Frequently asked questions about recent Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild, including CVE-2025-5777 known as CitrixBleed 2....
Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack Risks
The current geopolitical climate demands a proactive, comprehensive approach to cybersecurity. Here’s what you need to know — and how Tenable can help....
From Insight to Action: How Tenable One KPIs Drive Exposure Management Success
Tenable One empowers security teams to go beyond surface-level risk tracking and drive measurable improvements across their security programs. With unified visibility and customizable dashboards, Tenable One makes it easy to monitor the KPIs that matter most, helping teams shift from reactive firefi...
- Exposure Management
- Vulnerability Management
- Exposure Management