Unflagging Iranian Threat Activity Spurs Warnings, Indictments From US Government

  /     /     /  
Publicated : 23/11/2024   Category : security


Unflagging Iranian Threat Activity Spurs Warnings, Indictments From US Government


Authorities are cracking down on persistent cybercriminal attacks from APTs associated with Irans Islamic Revolutionary Guard Corps.



Iranian threat actors have been on the radar and in the crosshairs of the US government and security researchers alike this month with what appears to be a ramp-up in and subsequent crackdown on
threat activity
from advanced persistent threat (APT) groups associated with the Irans Islamic Revolutionary Guard Corps (IRGC).
The US government on Wednesday simultaneously revealed
an elaborate hacking scheme
by and indictments against several Iranian nationals thanks to recently unsealed court documents, and warned US organizations of Iranian APT activity to
exploit known vulnerabilities
— including the widely attacked ProxyShell and
Log4Shell
flaws — for the purpose of ransomware attacks.
Meanwhile, separate research revealed recently that an Iranian state-sponsored threat actor tracked as APT42
has been linked
to more than 30 confirmed cyberespionage attacks since 2015, which targeted individuals and organizations with strategic importance to Iran, with targets in Australia, Europe, the Middle East, and the United States.
The news comes amid growing tensions between the United States and Iran on the heels of
sanctions imposed
against the Islamic nation for its recent APT activity, including a cyberattack against the
Albanian government
in July that caused a shutdown of government websites and online public services, and was widely castigated.
Moreover, with political tensions between Iran and the West mounting as the nation aligns itself more closely with China and Russia, Irans political motivation for its cyber-threat activity is growing, researchers said. Attacks are more likely to become financially driven when faced with sanctions from political enemies, notes Nicole Hoffman, senior cyber-threat intelligence analyst at risk-protection solution provider Digital Shadows.
Still, while the headlines seems to reflect a surge in recent cyber-threat activity from Iranian APTs, researchers said recent news of attacks and indictments are more a reflection of persistent and ongoing activity by Iran to promote its cybercriminal interests and political agenda across the globe.
Increased media reporting on Irans cyber-threat activity does not necessarily correlate to a spike in said activity, Mandiant analyst Emiel Haeghebaert noted in an email to Dark Reading.
If you zoom out and look at the full scope of nation-state activity, Iran has not slowed their efforts, agrees Aubrey Perin, lead threat intelligence analyst at Qualys. Just like any organized group their persistence is key to their success, both in the long term and short term.
Still, Iran, like any threat actor, is opportunistic, and the pervasive fear and uncertainty that currently exists due to geopolitical and economic challenges — such as the ongoing war in Ukraine, inflation, and other global tensions — certainly buoys their APT efforts, he says.
The growing confidence and boldness of Iranian APTs has not gone unnoticed by global authorities — including those in the United States, who appear to be getting fed up with the nations persistent hostile cyber engagements, having endured them for at least the last decade.
An indictment that was unsealed Wednesday by the Department of Justice (DoJ), US Attorneys Office, District of New Jersey shed specific light on ransomware activity that occurred between February 2021 and February 2022 and affected hundreds of victims in several US states, including Illinois, Mississippi, New Jersey, Pennsylvania, and Washington.
The indictment revealed that from October 2020 through the present, three Iranian nationals — Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari — engaged in ransomware attacks that exploited known vulnerabilities to steal and encrypt data of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and other agencies subsequently warned that actors associated with the IRGC, an Iranian government agency tasked with defending leadership from perceived internal and external threats, have been exploiting and are likely to continue to exploit Microsoft and Fortinet vulnerabilities — including an Exchange Server flaw known as
ProxyShell
— in activity that was detected between December 2020 and February 2021.
The attackers, believed to be acting at the behest of an Iranian APT, used the vulnerabilities to gain initial access to entities across multiple US critical infrastructure sectors and organizations in Australia, Canada, and the United Kingdom for ransomware and other cybercriminal operations, the agencies said.
Threat actors shield their malicious activities using two company names: Najee Technology Hooshmand Fater LLC, based in Karaj, Iran; and Afkar System Yazd Company, based in Yazd, Iran, according to the indictments.
If the recent spate of headlines focused on Iranian APTs seems dizzying, its because it took years of analysis and sleuthing just to identify the activity, and authorities and researchers alike are still trying to wrap their heads around it all, Digital Shadows Hoffman says.
Once identified, these attacks also take a reasonable amount of time to investigate, she says. There are a lot of puzzle pieces to analyze and put together.
Researchers at Mandiant recently put together one puzzle that revealed
years of cyberespionage activity
that starts as spear-phishing but leads to Android phone monitoring and surveillance by IRGC-linked APT42, believed to be a subset of another Iranian threat group,
APT35/Charming Kitten/Phosphorus
.
Together, the two groups also are
connected
to an uncategorized threat cluster tracked as UNC2448, identified by Microsoft and Secureworks as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker, researchers said.
To thicken the plot even further, this subgroup appears to be operated by a company using two public aliases, Secnerd and Lifeweb, that have links to one of the companies run by the Iranian nationals indicted in the DoJs case: Najee Technology Hooshmand.
Even as organizations absorb the impact of these revelations, researchers said attacks are far from over and likely will diversify as Iran continues its aim to exert political dominance on its foes, Mandiants Haeghebaert noted in his email.
We assess that Iran will continue to use the full spectrum of operations enabled by its cyber capabilities in the long term, he told Dark Reading. Additionally, we believe that disruptive activity using ransomware, wipers, and other lock-and-leak techniques may become increasingly common if Iran remains isolated in the international stage and tensions with its neighbors in the region and the West continue to worsen.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unflagging Iranian Threat Activity Spurs Warnings, Indictments From US Government