An analysis of a well-known Iranian hacking operation that’s previously blurred the line between espionage and extortion suggests that the group is engaging in more purely financial attacks, including against targets in the U.S., Europe and Australia.
Researchers at various cybersecurity firms — as well as cybersecurity authorities in the U.S., the U.K. and Australia — have previously published reports on the activities of a group known variously as Cobalt Mirage, Charming Kitten, Phosphorous or TunnelVision. A November 2021 notice that the governments of the U.S., U.K. and Australia issued said the activity is “associated with the government of Iran” and is designed to gain access to a broad swath of targets for data exfiltration, ransomware or extortion.
The analysis released Thursday by researchers with Secureworks Counter Threat Unit builds on the previous reporting, but adds detail by unpacking attacks on an unnamed “U.S. philanthropic organization” in January 2022 and an unnamed local U.S. government in March 2022.
The two incidents represent distinct clusters of activity within the Cobalt Mirage group, the researchers concluded, with one focused on opportunistic ransomware attacks for financial gain and the other working for targeted intrusions seeking access and intelligence collection.
While the threat of ransomware attacks from the major groups based primarily in Russia have dominated headlines over the last year, Thursday’s research serves as a good reminder that Iranian groups are just as active and have been for years. The notorious SamSam ransomware — which targeted more than 200 victims and generated $6 million for the attackers — was tied to two Iranian defendants in a 2018 federal indictment. And more recently, a December 2021 ransomware attack on the historically Black Lincoln College that contributed to the college having to close its doors this week emanated from Iran, the college’s president has said.
The researchers based Thursday’s findings off the prior reporting on the group as well as incident response engagements in January and March of 2022. The January incident was a ransomware attack on an unnamed U.S. philanthropic organization, while the March incident showed the attackers stealing an undisclosed amount of data from an unnamed “U.S. local government.”
While the March attack was not ransomware, “there is evidence that those threat actors may be experimenting with ransomware,” the researchers wrote, pointing to a file uploaded from Iran to the malware scanning service VirusTotal on Dec. 29, 2021, that “appears to be an unfinished attempt at ransomware.” Various details from the file suggest it can be linked to Cobalt Mirage activity.
“The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage,” the researchers concluded. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.”
Nevertheless, the group’s “ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat.”