IRON LIBERTY

Iron Liberty is a threat actor group that has been active since at least 2010, as per the timeline of activity observed by CTU researchers. The group specializes in cyber espionage and has been particularly focused on targeting Industrial Control Systems (ICS) companies within the energy sector. Iron Liberty's tactics, techniques, and procedures (TTPs) have been honed over years, resulting in successful, operationally secure intrusions that span long periods. The group leverages advanced capabilities to maintain its activities undetected, often using Virtual Private Networks (VPNs) to access systems and steal valuable information. In mid-2014, public disclosures by security researchers highlighted Iron Liberty's activities, causing the group to temporarily halt operations. Despite these setbacks, Iron Liberty resumed its activities, demonstrating resilience and adaptability. The group's use of stolen credentials to mask its intrusion activities further complicates tracking and mitigation efforts. It is important to note that while CTU researchers have managed to gather significant data about Iron Liberty, the use of VPNs by the group has limited the scope of visibility into the exact nature and extent of the information compromised. The Castle campaign, characterized by similar targets and techniques to those of Iron Liberty, led CTU researchers to link it with Iron Liberty. However, due to differences between the Castle campaign and other Iron Liberty activities, some third parties categorize them as separate entities. This distinction illustrates the complexity and fluidity of threat actor groups' operations, underscoring the need for continuous vigilance and adaptive cybersecurity strategies.