The Iranian government is coordinating with ransomware groups in attacks against organizations in the United States, Israel, Azerbaijan and the United Arab Emirates, according to an advisory released Wednesday by a U.S. federal agency.
The FBI, Department of Defense, and Cybersecurity and Infrastructure Security Agency (CISA) said as of August that Iranian threat actors continued to target government organizations, as well as the education, financial, healthcare, and defense sectors.
“The FBI assesses that a significant percentage of these threat actor activity against U.S. organizations is aimed at gaining and developing network access and then coordinating with ransomware-related actors to deploy ransomware,” the agency said.
The activity has been linked specifically to hackers with ties to the Iranian government, and the advisory noted that separate from the ransomware activity is a broader campaign to steal “sensitive technical data” from organizations in Israel and Azerbaijan.
Officials said the information in the advisory was collected from “numerous organizations affected by this malicious activity.” This particular Iranian group has been targeting U.S. organizations since 2017 and is known in the private sector by a variety of names, including Pioneer Kitten, Rubidium, and Lemon Sandstorm.
The advisory follows years of reports alleging that Iranian attackers are either using ransomware themselves or collaborating with ransomware operations following espionage or information theft campaigns.
The FBI said it observed the group gaining and maintaining access to victim networks, then attempting to sell access to its operations on criminal marketplaces.
The perpetrators partnered with NoEscape, Ransomhouse, and groups associated with AlphaV ransomware attacks to ultimately receive a cut of the ransom payments. According to the FBI, the Iranian group doesn’t just sell access to victims’ networks: in some cases, the hackers worked with ransomware gangs to “develop strategies to lock down victim networks and extort money from them.”
The attackers typically conceal the fact that they are working for the Iranian government and are “intentionally vague” about their origins, the advisory noted.
Authorities said the same group was behind the Pay2Key ransomware attack in 2020, publicizing the attack on social media and seeking to share data stolen from Israeli organizations.
According to the FBI, Pay2Key’s purpose was not to pay the ransom, but to embarrass Israeli organizations.
“John McCain”
An Iranian IT company called Danesh Novin Sahand is being used as a front for cyber activity, with most attacks relying on exploiting internet-connected assets.
Officials cited several recent vulnerabilities and products that hackers have repeatedly targeted, including CVE-2024-24919, which affects products from cybersecurity firm Check Point, and CVE-2024-3400, a widely publicized bug affecting Palo Alto Networks VPN devices.
The group has previously targeted Ivanti, Citrix and BIG-IP F5 products, using the Shodan search engine to find vulnerable devices.
Once inside a victim’s network, the hackers would create accounts and attempt to escalate their privileges to gain access to broader areas of the network. In at least one instance, the hackers created an account named “John McCain,” after the late U.S. senator.
Hackers will try to disable antivirus and security software or obtain security exemptions in order to move freely through networks without raising alarms.
From there, they carry out their own side missions to steal sensitive data while partnering with ransomware affiliates.
The hackers are also expected to use their access to victims’ cloud computing resources as cover to launch other attacks, with the FBI noting it has seen this particular technique used against academic institutions and defense companies.
In some cases, attackers are using previous breaches as a means to transmit data stolen from other victims.
Both CISA and the FBI said organizations should specifically fix the four vulnerabilities the group is scanning for: CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519.
But that alone may not be enough to protect victims, the advisory noted, adding that organizations should take a variety of other steps to protect themselves. Any ransomware attacks or cyber incidents should be reported to the FBI and CISA, the agencies said, because they want detailed information about tactics, IP addresses, ransom notes, bitcoin wallets, decryption files, etc.
The advisory comes amid renewed attention to Iranian cyber activity following recent allegations against the campaigns of both presidential candidates. CNN reported Wednesday that the recent incidents are part of a years-long campaign targeting both former President Donald Trump and President Joe Biden.