U.S., U.K. and Australian cyber agencies on Wednesday accused Iranian government-sponsored hacking groups of exploiting Microsoft and Fortinet vulnerabilities this year in a bid to deploy ransomware against critical infrastructure.
The hackers are interested in taking advantage of known software flaws where they can, the agencies said. The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in March, May and June saw Iranian “advanced persistent threat” groups capitalizing on Fortinet vulnerabilities, in one case for a server associated with a U.S. municipal government and in another involving networks associated with a U.S.-based hospital focused on children’s care.
In October the hackers relied on a Microsoft Exchange ProxyShell vulnerability “to gain initial access to systems in advance of follow-on operations,” the subject of another recent CISA alert.
“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” the Wednesday alert states. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”
While the U.S. government has accused individual Iranian hackers of distributing ransomware in the past — such as with charges filed in the attack on the city of Atlanta — and while the U.S. has criticized the Iranian government for its activities in cyberspace, Wednesday’s alert combines both trends.
The joint alert follows research unveiled on Tuesday at the CyberWarCon conference, where Microsoft and CrowdStrike both revealed details about how suspected Iranian government-linked hackers had used ransomware as a disruptive tool.
The Microsoft research mentions how such hackers were trying to exploit Fortinet and ProxyShell vulnerabilities along the some of the same timelines mentioned in the Wednesday alert — “in the early part of 2021” on Fortinet and “last half of 2021” on ProxyShell.
“They are increasingly utilizing ransomware to either collect funds or disrupt their targets,” the research states. Since September of last year, Microsoft has “observed six Iranian threat groups deploying ransomware to achieve their strategic objectives.”
Those groups include one that Microsoft calls Phosphorus, which others call Charming Kitten or APT35.
CrowdStrike’s research, too said that “evidence points to the Iranian cyber operations enterprise as having recognized ransomware’s potential as a cyberattack capability able to inflict disruptive impacts on victims with low cost and relatively plausible deniability.”
This week the U.S. and Israel — a nation with whom Iran has been engaged in a long proxy conflict — announced a ransomware partnership.