The following document was obtained from the website of the Marshfield, Wisconsin Chamber of Commerce .

The FBI is providing the following information with HIGH confidence:

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.

According to public network registration information, IP addresses previously utilized by this group were assigned to “Tarh Andishan.” The group primarily utilized two Iran-based IP addresses to conduct its activity, 78.109.194.114 and 217.11.17.99. There has been no recent activity from these IP addresses since early 2014; however, the group now primarily utilizes a series of proxy or midpoint infrastructure in support of their computer network operations. The most recent midpoint infrastructure used by this group was located in the United Kingdom and the Netherlands.

Tools: The following tools have been known to be utilized by the cyber actors.

1021114.aspx

4g.exe

akisapi.php

ASPACK

Atkill.txt

Bitvise

c99shell.php

Cafae

Cain and Abel

CCProxy

CCproxy.zip

cmd.aspx

Cprivesc

debug.aspx

DefaultWS.asmx

Dirbuster

FileZilla

Find_tokens.exe

Find_tokens.txt

Gsecdump

Havij

hscan.zip

hscan1.2

img.asp

img.aspx

In2.txt

isapi.aspx

J.exe

Jasus.exe size: 118,272 MD5: 53841511791E4CAC6F0768A9EB5DEF8A Type: ARP POISON TOOL

Jasus.pdb

Kappfree

kappfree.dll

Kelloworld

kelloworld.dll

Klock

klock.dll

Lc.exe

lc15.exe

Libeay32.doc

Libeay32.txt

Loader.exe

LoggerModule.e

mim2.2.exe

Mimikatz

mimikatz.exe

mimikatz.swf

Mx.exe

NBrute Force

NC.exe

ncat.exe

Ncrack

Nc-themida.exe

Netcat

Netscp.exe

netscp_total.exe

Netview

Nmap

NTFS

OS_Detector.exe

ospcsvc.exe

osppsvc.exe

OSQL

ossisvc.exe

ossysvc.exe

Plink

plink.exe

priorities_readfile.aspx

Privesc.exe size: 51,200 MD5: DABF638EB53070CDC7B10BFA5E4E8142

ProcDump

proxy.php

PsExec

PsExec.exe

PsKill

PsList

Putty Link

putty.exe

pw.exe

PwDump

PwDump7.exe

PwDump7_p.exe

rdcmd.aspx

RunAs.exe

Samdump

sekurlsa.dll

Sl.exe

snmpwalk.exe

SQL Manager

STR.EXE

Themida

u.exe

U.exe size: 60,928 MD5: DDA3E5629A0E8FB63A3E19027AE45458

upload.aspx

Wcet

winBypass.php

WinDump

WinDump.exe

winpcap-nmap-4.12.exe

winusr.dll

wminotify.dll

wndTest.exe

wt.exe

xcmd-aspack.exe

xCmdSvc.exe

Xcmdt.exe

xcmd-themida.exe

xp_cmdshell

ZXPortMap.exe

IP Addresses: The following IP addresses have been observed to be utilized by the cyber actors.

64.120.208.154

78.109.194.114

159.253.144.209

217.11.17.99

95.211.191.225

95.211.241.249

95.211.241.251

108.175.153.158

88.150.214.162

88.150.214.166

88.150.214.168

88.150.214.170

184.82.158.18

…

Identify creation of users and databases named “haha”.