Iranian state-backed hackers are targeting American organizations in critical sectors, warns US federal agencies, along with their UK and Australian counterparts. The advisory released by these agencies claims that the actors are targeting entities in the transportation, public health, and healthcare sectors.
The following security agencies issued the join advisory:
- Cybersecurity and Infrastructure Security Agency (CISA)
- Federal Bureau of Investigation (FBI)
- Australian Cyber Security Centre (ACSC)
- U.K.’s National Cyber Security Centre (NCSC)
The advisory also includes a list of recommendations for organizations to protect themselves from the mentioned cyber actors.
What Does the Advisory Say?
The Iran-based hackers have actively exploited Fortinet vulnerabilities since March, as well as a Microsoft Exchange ProxyShell vulnerability since October this year in order to access American critical infrastructure organizations.
The hackers intended to use this access to carry out further operations, such as data exfiltration, extortion, and ransomware deployment. According to the advisory, the hackers exploited a Fortigate appliance to target a U.S. municapal government’s web domain in May, 2021.
In June, the CISA and FBI discovered that hackers attempting to access the networks of a U.S.-based hospital. The ACSC pointed out that the group used the Microsoft Exchange vulnerability in Australia, as well.
Microsoft Provides Additional Information on Hackers’ Activity
Apart from government agencies, tech giant Microsoft has also noted activity from the Iranian hackers. In fact, the company said that, over the last year, it witnessed six different Iran-based groups deploy ransomware.
According to Microsoft, one of the groups invests significant time and energy in building a relationship with targets before deploying spear-phishing campaigns. It uses tricks such as “fake conference invitations or interview requests and frequently masquerades as representing officials at think-tanks in Washington, DC, as a cover.”
Cybersecurity firm CrowdStrike added that they and their competitors noticed similar Iranian activity last year. CrowdStrike researchers said that Iranian ransomware attacks are used to “conduct espionage, sow disinformation, and to harass and embarrass foes.”
Agencies Provide a List of Recommendations to Vulnerable Companies
The four government agencies provided a list of recommendations for vulnerable organizations. They urged network defenders to “apply the following mitigations to reduce the risk of compromise.”
The mitigatory steps include recommendations such as updating all systems, implementing network segmentation, using tools such as multi-factor authentication, and more.
If you’re interested in learning more about ransomware, check out our detailed article here.