November 19, 2021
Hackers linked to the Iranian government have been targeting a “broad range of victims,” including by deploying ransomware, according to a rare joint advisory issued by American, British and Australian officials.
It’s an unusual case of the US government publicly linking Iran with ransomware, which is typically used by cybercriminals rather than governments. And it’s a reminder that America’s ransomware problem is not limited to Russia.
The Iranian hackers are exploiting known flaws in software made by Microsoft and California-based vendor Fortinet to access systems and at times lock them up with ransomware, according to the advisory issued November 17 by the FBI, US Cybersecurity and Infrastructure Security Agency, Australian Cyber Security Centre and the UK’s National Cyber Security Centre.
Private-sector researchers have been detailing Iran’s alleged connection to ransomware for months, warning that hacks on companies in Israel and elsewhere are meant to disrupt business operations and intimidate victim organizations rather than recover actual ransom payments.
The advisory says that in recent months, Iran has exploited computer vulnerabilities exposed by hackers before they can be fixed and targeted entities in the transportation, health care and public health sectors.
The warning is notable because most ransomware attacks in the past year have been attributed to Russia-based criminal hacker gangs rather than Iranian hackers.
Government officials aren’t the only ones noticing the Iranian activity: Tech giant Micro-soft announced one day earlier that it had seen six different groups in Iran deploying ransomware since last year.
Microsoft said one of the groups spends significant time and energy trying to build rapport with their intended victims before targeting them with spear-phishing campaigns. The group uses fake conference invitations or interview requests and frequently masquerade as officials at think tanks in Washington, DC, as a cover, Microsoft said.
Earlier this year, Facebook announced it had found Iranian hackers using “sophisticated fake online personas” to build trust with targets and get them to click on malicious links, often posing as recruiters for defense and aerospace companies.
Researchers at the Crowd-strike cybersecurity firm said they and competitors began seeing this type of Iranian activity last year.
The Iranian ransomware attacks, unlike those sponsored by North Korea’s government, are not designed to generate revenue so much as for espionage, to sow disinformation, to harass and embarrass foes — Israel, chief among them —and to essentially wear down their targets, Crowd-strike researchers said.
Crowdstrike considers Iran to be the trendsetter in this novel “low form” of cyberattack, which typically involves paralyzing a network with ransomware, stealing information and then leaking it online. The researchers call the method “lock and leak.” It is less visible, less costly and “provides more room for deniability,” Crowdstrike global threat analysis director Kate Blankenship said.
