Edward Kiledjian

Saffron Rose, also known as Ajax Security Team, Flying Kitten, or APT35, is an Iranian state-sponsored Advanced Persistent Threat (APT) group. Since at least 2010, Saffron Rose has made its mark with website defacements under the name AjaxTM before transitioning into more sophisticated cyber espionage operations. By 2013-2014, the group had fully evolved into a major player in Iran's growing cyber landscape, conducting complex malware-based attacks aligned with Iranian national interests.

Activities and Targets

Saffron Rose has been involved in numerous cyber espionage campaigns, focusing on a wide array of targets, including:

• U.S. defence contractors and companies within the defence industrial base
• Iranian users of anti-censorship tools
• Military and government entities in the U.S. and Middle Eastern countries
• Media organizations
• Energy and telecommunications sectors
• Iranian dissidents and activists

The group's ability to target diverse sectors highlights its alignment with broader Iranian geopolitical interests and its focus on gathering intelligence related to both domestic and international concerns.

Methods and Tools

Saffron Rose employs a variety of sophisticated attack vectors, including:

• Social Engineering: The group is adept at using spear-phishing emails, social media messages, and fake login pages to deceive and compromise victims. These methods often lure high-profile individuals into revealing sensitive information.

• Malware: Over time, Saffron Rose has developed a custom suite of malware, including:

  • PowerLess: A sophisticated malware tool designed for long-term espionage.
  • HAVIJ: A custom SQL injection tool.
  • Stealer: Custom malware used for credential theft.

• Ransomware: The group has also been linked to ransomware campaigns, leveraging strains such as Momento and Bitlocker to disrupt and extort their targets.

• Additional Techniques: Saffron Rose uses a variety of other tools and methods to infiltrate and maintain access to targeted systems, including:

  • Defeating two-factor authentication
  • Keylogging
  • Exploiting vulnerabilities in Microsoft Office
  • IP logging
  • Using tools like Mimikatz for credential harvesting

Command-and-Control Infrastructure

Saffron Rose's command-and-control (C2) infrastructure is a sophisticated network of distinct but interconnected clusters. The group has been known to use domains that mimic legitimate services from trusted companies like Google, Facebook, Yahoo, and LinkedIn, further enhancing their phishing operations and enabling them to infiltrate sensitive networks.

Evolution and Significance

The rise of Saffron Rose marks a significant step in the evolution of Iran's cyber capabilities. What began as a relatively unsophisticated website defacement group has evolved into a formidable APT player. The shift towards cyber espionage mirrors Iran's broader response to increased cyber operations targeting the country, such as the infamous Stuxnet attack. This evolution reflects the growing importance of cyber operations as a tool for statecraft in the region.

Attribution and Connections

While definitive proof linking Saffron Rose to the Iranian government remains elusive, the group's operations closely align with the strategic goals of the Iranian state. Saffron Rose is considered part of a larger ecosystem of Iranian APT groups, including APT33, APT34, and APT39. Each of these groups operates in coordination with state interests, targeting different sectors and regions, reflecting a broader, more complex Iranian cyber strategy.

Recent Activities

As of 2022, Saffron Rose remains an active threat, continuously refining its tactics and expanding its reach. The group has shown a particular interest in high-profile individuals and organizations with ties to Middle Eastern geopolitics, indicating an ongoing focus on espionage and intelligence gathering.