Agriculture in the crosshairs of nation-state sponsored hackers (4/5)

Iran
The Islamic Republic of Iran has great ambitions for its future. The regime is aiming for regional hegemony while constantly being threatened by archenemies Saudi Arabia and Israel. However, the country is severely restrained by international sanctions imposed due to Iran’s nuclear program. Also, the country is struggling with widespread corruption and bad management. To uphold the theocratic regime and deal with the many external threats to the country, Iran needs internal stability. Instability and domestic unrest would limit the regime’s ability to focus on external threats¹. One way to maintain stability is to provide food security for the people. In Iran, this is a rather difficult task. Outdated farming techniques, encroaching deserts, poor quality of seeds used and trading sanctions are all a risk for food security². Limited by sanctions, Iran has a hard time acquiring the technology and knowledge to modernize the agricultural sector and in doing so providing food security to its population.

Iran has a long history of having to deal with international sanctions. Working in the shadows acquiring what they want abroad is certainly not new to them. Iran has developed a skilled cyber force, responsible for espionage, sabotage and information theft all over the world. There are several academic institutions (e.g. IHU, Mabna Institute, Shahid Beheshti University) in Iran that actively attract cyber talent and develop knowledge for offensive purposes. The Iranians have quite a peculiar system in place for their offensive cyber operations. Around 50 Iranian ‘APT-contractors’ are competing against each other to win offensive cyber contracts put out by the state. The best APTs are granted the contract and only get paid after completing the task. The Iranian regime issues offensive cyber operations to retaliate for international sanctions, but also to acquire technology and knowledge that could assist their modernization efforts³. This strategy fits perfectly in Iran’s history of conducting asymmetric warfare. The agricultural industry forms no exception. Iranian APTs have shown activity in various states targeting the agricultural sector. Additionally, Iran has increased security cooperation with China and Russia. It is deemed likely that the states will share knowledge on their offensive cyber operations⁴.

 

 

To outsmart the 13 Iranian APT-groups that are active in agriculture or related industries, Hunt & Hackett tracks and anticipates their TTPs and Tools. Currently, Hunt & Hackett is aware of 168 TTPs and 158 Tools being used by Iranian APTs.

	Key Stats Iran: Agriculture and Related Industries
APTs	13
APT Names	APT33; APT35; APT39; Boss Spider; Cutting Kitten; Fox Kitten; Infy; ITG18; Madi; MuddyWater; Nazar; Sima; Tortoiseshell
Level of Sophistication	Medium
Main Motives	Espionage; Information Theft
TTPs	168
Tools	158

Table 1 - Key statistics on APTs originating from Iran, and the TTPs and Tools they use in the agricultural and related industries as observed by Hunt & Hackett.

North Korea has the ambition to become a completely self-sufficient nation. The regime experiences the international community as extremely hostile, mostly thanks to the North Korean nuclear program and the sanction imposed because of it. Agriculture plays a large role in the self-sufficiency plans of the communist nation. However, North Korea has found it very difficult to provide enough food to feed its population. The country has been struck by famine several times in the past, killing millions of citizens. Bad seasonal conditions and even worse centralized management were to blame for the enormous food shortages. Now, due to new economic sanctions and the ongoing pandemic, fear is rising of another deadly famine.

The North Korean regime is going to have to use every resource available to increase yields and modernize their agricultural sector, in order to provide structural food security for the population. Not known to many is that the regime has very capable APTs at their disposal which it is not reluctant to deploy¹. North Korea is known to have used APTs to steal secrets and technology from all over the world. North Korean hacker groups SILENT CHOLLIMA and LABYRINTH CHOLLIMA, have been observed to target the agricultural industry, as became apparent in June 2020, when an American company active in the agricultural industry fell victim to the latter APT². It is assessed that North Korean’s world wide presence will increase because of the mounting pressure of another famine. A sign of their increasing sophistication is that North Korean hackers have already figured out how to overcome the ‘air-gap’, meaning that they have the ability to hack computers not connected to the internet³. Previously, this was a skill only more technological sophisticated nations mastered.

 

Figure 2: Under Kim Jong-Un, North Korea has developed a very capable cyber force.

To deal with the North Korean cyber-threat, it is important to understand how their APTs operate. This is the reason Hunt & Hackett has tracked the TTPs and Tools the have employed in the past. Hunt & Hackett has observed 4 North Korean APT-groups to be active in agriculture or related industries using 133 TTPs and 217 Tools.

	Key Stats North Korea: Agriculture and Related Industries
APTs	4
APT Names	APT37; APT38; Kimsuky; Wassonite
Level of Sophistication	High
Main Motives	Espionage; Information Theft
TTPs	133
Tools	217

Table 2 - Key statistics on APTs originating from North Korea, and the TTPs and Tools they use in the  agricultural and related industries as observed by Hunt & Hackett