August 2012 — Iran was suspected to be behind attacks on Saudi Aramco and Qatar-based RasGas. The New York Times covered the story when a US Department of Homeland Security warning appeared the following year.
May 2014 — FireEye releases their report Operation Saffron Rose, in which they describe the Ajax Security Team as a hacker group that formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned into malware-based espionage against the U.S. Military-Industrial Complex and Iranian dissidents. However, Krypt3ia disparages the report as mostly hype "on a slow news day at FireEye".
May 2014 — iSIGHT reported on the Newscaster threat from Iran, underway at least since 2011. It targets US and Israeli military, government, and defense contractors by posing as journalists on Facebook, Twitter, YouTube, and LinkedIn. They have built a bogus journalism website newsonair.org on which they simple copy and paste content from actual news sites. They then use social media to make contact and then send spear-phishing attacks to their targets. A New York Times story also covered this.
March 2016 — the U.S. Department of Justice indicted seven hackers operating on behalf of the Iranian government for running DDoS attacks against 46 organizations, most of them U.S. financial institutions, from late 2011 through mid 2013. At its peak in September 2012, the attack reached 140 Gbps directed at the banks' networks. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (a.k.a. Nitr0jen26), Omid Ghaffarinia (a.k.a. PLuS), Sina Keissar, and Nader Saedi (a.k.a. Turk Server) were employed by ITSecTeam (a.k.a. ITSEC) and Mersad Company, both of which were working for the Iranian government and the Islamic Revolutionary Guard. See the stories in the New York Times and Dark Reading.
The DDoS targets included JPMorgan Chase, Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity, US Bank, PNC Bank, and AT&T.
Firoozi is accused of accessing a Windows XP system serving as a SCADA controller for the Bowman Dam in Rye, New York, between August 23 and September 18 of 2013. It was read-only access of water levels, temperature, and the status of a sluice gate as the dam was under repair and offline. But seriously: In 2013 there was a Windows XP system serving as a dam's SCADA system while it was exposed to the Internet. Who thought that was a reasonable plan?
Earlier the same week, the D.O.J. charged three Syrian Electronic Army hackers for targeting U.S. government and media websites and social media accounts.Al Arabiya on
Iran's Cyber Army,
January 2017 Al Arabiya on
Iran's Cyber Army,
December 2016, January 2017 — Al Arabiya published reports on Iran's Cyber Army, including the Khaybar center for information technology.
Caveat lector, or Reader beware — the source is Saudi-based and funded, so the reports are seen through the lens of the House of Saud.Iran's Cyber Threat: Espionage, Sabotage, and Revenge
Carnegie Endowment for International Peace
2017 — 2018 The people who research, describe, and give names to other countries' malware have settled on "Kitten" as the metaphorical animal for Iran, versus "Bear" for Russia.APT33
APT33 is reported to be active since 2013, operating at the behest of the Iranian government targeting multiple aerospace and oil companies in the U.S., Saudi Arabia, and South Korea.APT34
APT34, also called OilRig and Helix Kitten, appeared in late 2017, targeting another government in the Middle East. They are now thought to have been active at least since 2014, with a range of government, financial, and industry targets.
APT35, also called Charming Kitten, Newscaster, and NewsBeef, created fake journalist identities on social media. In February 2017 they were observed running a fake aerospace company website, presumably targeting the U.S. defense industry.
Also see U.S. versus Iran Also see Saudia Arabia