The advisory says that in recent months, Iran has exploited computer vulnerabilities exposed by hackers before they can be fixed and targeted at entities in the transportation, healthcare and security sectors. public health. The attackers used the initial hack for additional operations, such as data exfiltration, ransomware and extortion, according to the advisory. The group used the same Microsoft Exchange vulnerability in Australia, officials said.
The warning is notable because even though ransomware attacks remain widespread in the United States, most of the significant attacks over the past year have been attributed to Russian-based hacker gangs rather than Iranian hackers.
Government officials aren’t the only ones noticing Iranian activity: Tech giant Microsoft said on Tuesday it had seen six different groups in Iran deploy ransomware since last year.
Microsoft said one of the groups was spending a lot of time and energy trying to build relationships with targeted victims before targeting them with spear-phishing campaigns. The group uses bogus conference invitations or interview requests and often masquerades as think tank leaders in Washington, DC, as cover, Microsoft said.
Once the report is made and a malicious link is sent, the Iranians are very arrogant in trying to get their victims to click on it, said James Elliott, a member of the Microsoft Threat Intelligence Center.
“These guys are the biggest pain in the back. Every two hours they send an email,” Elliott said at the Cyberwarcon cybersecurity conference on Tuesday.
Earlier this year, Facebook reported that it had found Iranian hackers using “sophisticated fake online characters” to build trust with targets and trick them into clicking on malicious links and often masquerading as recruiters. ‘defense and aerospace companies.
Researchers at cybersecurity firm Crowdstrike said they and their competitors began to see this type of Iranian activity last year.
Iranian ransomware attacks, unlike those sponsored by the North Korean government, are not designed to generate income so much as for espionage, to sow disinformation, to harass and embarrass enemies – Israel, the main one. between them – and to essentially deplete their targets, Crowdstrike researchers said at the Cyberwarcon event.
“While these operations will use ransom notes and dedicated leak sites demanding hard cryptocurrency, we really don’t see any viable effort for actual currency generation,” said Kate Blankenship, Director of Threat Analysis worlds of Crowdstrike.
Crowdstrike sees Iran as the pioneer of this new “low form” of cyberattack, which typically involves crippling a network with ransomware, stealing information and then distributing it online. Researchers call the ‘lock and flee’ method. It’s less visible, less expensive, and “leaves more room for denial,” Blankenship said.