iscover
ReporterShare this article on:
Powered by
MOMENTUM
MEDIA
The Five Eyes nations along with the Australian Cyber Security Centre (ACSC), have issued a joint advisory on 15 September regarding ongoing Iranian state-sponsored cyber threats.
The advisory warns about malicious cyber activity by advanced persistent threat (APT) actors, linked with Iran’s Islamic Revolutionary Guard Corps (IRGC), that is on the rise.
Based on the latest intelligence across the Five Eyes nations, according to ACSC head Abigail Bradshaw, this advisory again underscores that organisations of all sizes continue to be targeted by capable and increasingly sophisticated adversaries.
The IRGC-affiliated actors are actively targeting a broad range of entities, according to the advisory, including entities across multiple US critical infrastructure sectors as well as organisations in the United Kingdom, Australia and Canada.
"The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors," the advisory read.
Those known vulnerabilities include previously publicised flaws in Fortinet and Microsoft Exchange. In addition, authorities report Iranian-affiliated APT actors are actively exploiting VMware Horizon Log4j vulnerabilities for initial access, and also Log4j2 vulnerabilities in SysAid applications.
In November 2021, the Five Eyes nations previously issued an alert regarding Iranian government-sponsored APT cyber actors and the hacking attempts have continued.
The latest advisory asserts that the hackers often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran.
Fortinet FortiOS and Microsoft Exchange server vulnerabilities remain a favoured method to gain initial access. The ACSC noted that APT actors have used CVE-2021-34473 in Australia. The access is then leveraged for further malicious activities, including deploying tools to support ransom and extortion operations and extract data.
"After gaining access to a network, the IRGC-affiliated APT actors likely determine a course of action based on their perceived value of the data.
"The actors may sell the data or use the exfiltrated data in extortion operations or double extortion ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands," the advisory stated.
Additionally, reports out of the US say Iranian-affiliated APT actors are targeting individuals with known interests in Middle Eastern affairs, nuclear security, and genome research.
Proofpoint has observed an IRGC-sponsored phishing email campaign is now underway using sock puppet accounts to impersonate genuine individuals at institutions like Pew Research Center, the Foreign Policy Research Institute, and Chatham House.
This week, the US Department of Justice (DOJ) indicted three Iranians alleged to have conducted cyber attacks against critical infrastructure located in the US and elsewhere. The DOJ alleged the individuals targeted a broad range of organisations, including small businesses, government agencies, non-profit programs and educational and religious institutions.
According to Assistant Attorney General Matthew G Olsen of the DOJ’s National Security Division, the government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these can hack and extort victims, including critical infrastructure providers.
"This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals," Olsen said.
The joint advisory recommends targeted entities should report cyber security incidents to the ACSC and continue to monitor alerts and advisories.
Be the first to hear the latest developments in the cyber industry.
