Iranian threat actors have been on the radar and in the crosshairs of the US government and security researchers alike this month with what appears to be a ramp-up in and subsequent crackdown on threat activity from advanced persistent threat (APT) groups associated with the Iran’s Islamic Revolutionary Guard Corps (IRGC).
The US government on Wednesday simultaneously revealed an elaborate hacking scheme by and indictments against several Iranian nationals thanks to recently unsealed court documents, and warned US organizations of Iranian APT activity to exploit known vulnerabilities — including the widely attacked ProxyShell and Log4Shell flaws — for the purpose of ransomware attacks.
Meanwhile, separate research revealed recently that an Iranian state-sponsored threat actor tracked as APT42 has been linked to more than 30 confirmed cyberespionage attacks since 2015, which targeted individuals and organizations with strategic importance to Iran, with targets in Australia, Europe, the Middle East, and the United States.
The news comes amid growing tensions between the United States and Iran on the heels of sanctions imposed against the Islamic nation for its recent APT activity, including a cyberattack against the Albanian government in July that caused a shutdown of government websites and online public services, and was widely castigated.
Moreover, with political tensions between Iran and the West mounting as the nation aligns itself more closely with China and Russia, Iran’s political motivation for its cyber-threat activity is growing, researchers said. Attacks are more likely to become financially driven when faced with sanctions from political enemies, notes Nicole Hoffman, senior cyber-threat intelligence analyst at risk-protection solution provider Digital Shadows.
Persistent & Advantageous
Still, while the headlines seems to reflect a surge in recent cyber-threat activity from Iranian APTs, researchers said recent news of attacks and indictments are more a reflection of persistent and ongoing activity by Iran to promote its cybercriminal interests and political agenda across the globe.
“Increased media reporting on Iran’s cyber-threat activity does not necessarily correlate to a spike in said activity,” Mandiant analyst Emiel Haeghebaert noted in an email to Dark Reading.
“If you zoom out and look at the full scope of nation-state activity, Iran has not slowed their efforts,” agrees Aubrey Perin, lead threat intelligence analyst at Qualys. “Just like any organized group their persistence is key to their success, both in the long term and short term.”
Still, Iran, like any threat actor, is opportunistic, and the pervasive fear and uncertainty that currently exists due to geopolitical and economic challenges — such as the ongoing war in Ukraine, inflation, and other global tensions — certainly buoys their APT efforts, he says.
Authorities Take Notice
The growing confidence and boldness of Iranian APTs has not gone unnoticed by global authorities — including those in the United States, who appear to be getting fed up with the nation’s persistent hostile cyber engagements, having endured them for at least the last decade.
An indictment that was unsealed Wednesday by the Department of Justice (DoJ), US Attorney’s Office, District of New Jersey shed specific light on ransomware activity that occurred between February 2021 and February 2022 and affected hundreds of victims in several US states, including Illinois, Mississippi, New Jersey, Pennsylvania, and Washington.
The indictment revealed that from October 2020 through the present, three Iranian nationals — Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari — engaged in ransomware attacks that exploited known vulnerabilities to steal and encrypt data of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and other agencies subsequently warned that actors associated with the IRGC, an Iranian government agency tasked with defending leadership from perceived internal and external threats, have been exploiting and are likely to continue to exploit Microsoft and Fortinet vulnerabilities — including an Exchange Server flaw known as ProxyShell — in activity that was detected between December 2020 and February 2021.
The attackers, believed to be acting at the behest of an Iranian APT, used the vulnerabilities to gain initial access to entities across multiple US critical infrastructure sectors and organizations in Australia, Canada, and the United Kingdom for ransomware and other cybercriminal operations, the agencies said.
Threat actors shield their malicious activities using two company names: Najee Technology Hooshmand Fater LLC, based in Karaj, Iran; and Afkar System Yazd Company, based in Yazd, Iran, according to the indictments.
APT42 & Making Sense of the Threats
If the recent spate of headlines focused on Iranian APTs seems dizzying, it’s because it took years of analysis and sleuthing just to identify the activity, and authorities and researchers alike are still trying to wrap their heads around it all, Digital Shadows’ Hoffman says.
“Once identified, these attacks also take a reasonable amount of time to investigate,” she says. “There are a lot of puzzle pieces to analyze and put together.”
Researchers at Mandiant recently put together one puzzle that revealed years of cyberespionage activity that starts as spear-phishing but leads to Android phone monitoring and surveillance by IRGC-linked APT42, believed to be a subset of another Iranian threat group, APT35/Charming Kitten/Phosphorus.
Together, the two groups also are connected to an uncategorized threat cluster tracked as UNC2448, identified by Microsoft and Secureworks as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker, researchers said.
To thicken the plot even further, this subgroup appears to be operated by a company using two public aliases, Secnerd and Lifeweb, that have links to one of the companies run by the Iranian nationals indicted in the DoJ’s case: Najee Technology Hooshmand.
Even as organizations absorb the impact of these revelations, researchers said attacks are far from over and likely will diversify as Iran continues its aim to exert political dominance on its foes, Mandiant’s Haeghebaert noted in his email.
“We assess that Iran will continue to use the full spectrum of operations enabled by its cyber capabilities in the long term,” he told Dark Reading. “Additionally, we believe that disruptive activity using ransomware, wipers, and other lock-and-leak techniques may become increasingly common if Iran remains isolated in the international stage and tensions with its neighbors in the region and the West continue to worsen.”
