Published on: November 19, 2021
Hackers linked to the Iranian government have been targeting a “broad range of victims” in the United States by using data exfiltration, extortion, and ransomware, according to an advisory issued on Nov. 17 by American, British, and Australian cybersecurity officials.
The threat actor is believed to have exposed multiple of California-based vendor Fortinet’s FortiOS vulnerabilities dating back to March 2021, along with a remote code execution flaw affecting Microsoft Exchange Servers since Oct. 2021, according to the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the UK’s National Cyber Security Centre (NCSC).
However, the agencies did not attribute these activities to any specific advanced persistent threat (APT) actor. Targeted victims of these cyber attacks include a variety of entities in the US transportation, health care, and public health sectors, along with some Australian organizations.
Significance and Response
Although ransomware attacks remain prevalent in the US, this warning is notable because the most significant attacks in 2021 have been attributed to Russian hackers instead of Iranian hackers. Along with exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed Iranian hackers abusing a Fortigate appliance in May 2021 to gain access to a web server hosting the domain for a US municipal government.
Then, in June, the APT actors “exploited a Fortigate appliance to access environmental control networks associated with a US-based hospital specializing in healthcare for children,” the advisory added.
In order to mitigate these attacks, the agencies are recommending organizations to immediately patch software affected by the vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, and secure accounts with multi-factor authentication, an antivirus, and strong passwords.
However, government agencies aren’t the only ones noticing Iranian hacking activity. Microsoft also announced on Nov. 16 that it had seen 6 different groups in Iran deploying ransomware since 2020.
Microsoft said one of the groups spends a significant amount of time and energy building a rapport with its victims before targeting them with spear-phishing campaigns. The APT actor mainly uses fake conference calls and interview requests while using the cover of representatives at think-tanks in Washington, D.C., Microsoft added. “After building a rapport and sending a malicious link, the Iranians are very pushy about getting their victims to click on it,” said James Elliot, a member of the Microsoft Threat Intelligence Center.
“These guys are the biggest pain in the rear. Every two hours they’re sending an email,” Elliott added at the Nov.16 Cyberwarcon conference.