Full Report
The pro-Iran hacking group that claimed to have stolen a tranche of sensitive materials from Lockheed Martin and posted it for sale in a Russian- and English-language dark web marketplace threatened today that “any government intervention, regardless of its nature, will be met with a proportionate response.” APT IRAN also declared “we have long-term plans…
Analysis Summary
# Threat Actor: APT IRAN
## Attribution & Identity
* **Actor Name:** APT IRAN
* **Identity:** A pro-Iran hacking group.
* **Known Associations:**
* Affiliated with the **Islamic Revolutionary Guard Corps (IRGC)**.
* Closely linked to **CyberAv3ngers**.
* Collaborates with **Handala** (a group known for wiper attacks and high-profile breaches).
## Activity Summary
* **Lockheed Martin Extortion (March 2026):** Claimed the theft of 375 terabytes of sensitive technical and administrative data; initially demanded a $400 million ransom, subsequently increasing the price and threatening "irreparable damage."
* **Digital Marketplace Sale:** Posted alleged stolen materials for sale on Russian- and English-language dark web marketplaces.
* **Collaboration Operations:** Partnered with CyberAv3ngers and Handala to threaten U.S. water infrastructure in retaliation for perceived threats against Iranian infrastructure.
* **Information Operations:** Used Telegram to declare "long-term plans" for targeting defense contractors and threatening "proportionate responses" to government intervention.
## Tactics, Techniques & Procedures
* **Data Theft and Extortion:** Claims of stealing massive volumes (375 TB) of technical documentation and architectural source code.
* **Data Ransom/Sale:** Utilizing dark web marketplaces for high-value data auctions.
* **Manipulation Operations:** Attempting to manipulate Industrial Control Systems (ICS) and control systems.
* **Wiper Attacks:** Association with Handala suggests involvement or support for destructive wiper malware operations.
* **Spearphishing/Account Compromise:** Demonstrated access to High-Level Personnel (HLP) inboxes and emails.
* **Psycological Warfare/Social Media:** Use of Telegram channels to issue threats, warn civilians (warning sirens), and exert pressure on governments.
## Targeting
* **Sectors:** Defense Industrial Base (DIB), Critical Infrastructure (Water, Energy, Agriculture), Healthcare/MedTech, Government, and Financial Services.
* **Geography:** United States, Israel, and Jordan.
* **Victims:**
* **Lockheed Martin** (Alleged breach of F-35 data and missile defense systems).
* **Stryker** (Medical technology company - associated via Handala).
* **Jordanian Agricultural Sector** (Wheat stockpile control systems).
* **Bank al Etihad** (Jordan).
* **Aqaba Special Economic Zone** solar projects.
* **FBI Director Kash Patel** (Personal email).
## Tools & Infrastructure
* **Malware:** Wiper malware (via Handala affiliation).
* **Infrastructure:**
* Russian- and English-language dark web marketplaces.
* Telegram for communications and proof of hack (video evidence of inboxes).
* ICS manipulation tools (implied through agricultural sector attacks).
## Implications
APT IRAN represents a significant escalatory threat to U.S. and allied critical infrastructure. By transitioning from traditional hacktivism to the theft and attempted sale of sensitive defense technology (e.g., F-35 data), the group acts as a broker for Iranian state interests while leveraging the ransom model to fund or mask state-sponsored operations. Their coordination with other IRGC-linked groups indicates a unified Iranian front capable of synchronized destructive (wiper) and disruptive (ICS) operations.
## Mitigations
* **Defense Industrial Base (DIB) Hardening:** Enhance monitoring for large-scale data exfiltration and strengthen identity management for senior executives.
* **ICS/SCADA Protection:** Segment control systems from the public internet, particularly in water, energy, and agriculture sectors, to prevent manipulation of physical assets.
* **Third-Party Risk Management:** Audit security protocols of medical and defense contractors frequently targeted by Iranian-linked wipers.
* **Dark Web Monitoring:** Actively monitor marketplaces and Telegram channels for mentions of corporate credentials or proprietary data leaks.