US Warns of Iran-Backed Hackers Using Ransomware

Iranian Hackers Target Critical Infrastructure

Government agencies in the United States, Australia, and the United Kingdom have issued warnings regarding the activities of Iranian state-sponsored hackers. These actors are actively targeting organizations within vital infrastructure sectors, and in certain instances, deploying ransomware.

Joint Cybersecurity Advisory

A collaborative advisory was released on Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC). This advisory specifically links Iranian actors to ransomware attacks.

Exploited Vulnerabilities and Targets

The advisory details how Iran-affiliated attackers have been exploiting security flaws in Fortinet products since March. Additionally, a Microsoft Exchange ProxyShell vulnerability has been leveraged since October.

These vulnerabilities have provided access to U.S. critical infrastructure organizations operating within the transportation and public health sectors. Similar targeting has also been observed in Australia.

The ultimate goal of these intrusions is to establish a foothold for subsequent malicious activities. These include the theft of sensitive data, extortion attempts, and the deployment of ransomware.

Recent Examples of Attacks

In May, attackers compromised a web server hosting a U.S. municipal government’s domain through the abuse of Fortigate devices.

Subsequently, in June, CISA and the FBI detected exploitation of Fortinet vulnerabilities to infiltrate the network of a U.S. hospital. This hospital specializes in pediatric healthcare.

Microsoft's Report on Iranian APTs

The joint advisory coincides with a separate report from Microsoft concerning the evolving tactics of Iranian Advanced Persistent Threats (APTs). Microsoft notes these groups are increasingly utilizing ransomware for both financial gain and disruptive purposes.

Microsoft has been monitoring six distinct Iranian threat groups engaged in deploying ransomware and exfiltrating data since September 2020.

Focus on Phosphorus (APT35)

Microsoft specifically highlights a particularly aggressive group known as Phosphorus, also identified as APT35. This group has been under observation for the past two years.

Previously relying on spear-phishing emails – including targeting presidential candidates during the 2020 U.S. election – Phosphorus now employs social engineering techniques. They build rapport with victims before utilizing BitLocker, a Windows feature, to encrypt files.