Cybersecurity agencies in the United States, the United Kingdom, and Australia warned on Wednesday that Iran-linked cyberattack groups were ramping up operations, targeting vulnerabilities in enterprise technology to compromise organizations in the US and Australia.
In a joint advisory issued Nov. 17, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) blamed Iran for a broad rise in attacks using vulnerabilities in Fortinet's FortiOS and Microsoft Exchange. The attackers often activate BitLocker on compromised Windows machines to encrypt data for ransom or hinder operations, the agencies said.
Three Fortinet vulnerabilities have been used since at least March against US targets, while both the US and Australia have seen attacks targeting the Microsoft Exchange ProxyShell issue, the advisory stated.
"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations," stated CISA and the FBI in a joint advisory, adding that the attacks seem more focused on gaining advantage before organizations patch specific flaws, rather than specifically targeting critical infrastructure. "These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion."
These notices come less than three weeks after a top Iranian official blamed the US and Israel for attacks disrupting gasoline sales in Iran. In late October, Iran's civil defense chief, Gholamreza Jalali, blamed "the Zionist Regime, the Americans and their agents" for the outage, which affected thousands of gas stations, according to a Reuters report.
FBI officials also reportedly sent out a private industry notification (PIN) warning companies that Iranian attackers are attempting to buy stolen data regarding email messages and network information on underground forums. They also warned companies that have had data stolen to watch out for future attacks.
The cyber conflict demonstrates why private industry and government need to work together, said Mike Wiacek, CEO and co-founder at security-monitoring firm Stairwell, in a statement sent to Dark Reading.
"No single party, whether it is a company or a country, can solve problems of this magnitude on their own," he said. "The ability to recursively identify threats whether past, present or future, and creating defenses that are imperceptible to attackers are required. Fragmented viewpoints only benefit bad actors, so working together and sharing information and intelligence is absolutely critical."
Iran has dramatically increased its online capabilities since the US and Israel reportedly sabotaged the nation's nuclear program using the Stuxnet worm in 2009. The US, Israel, and Saudi Arabia are popular targets of Iran.
In an analysis of Iran-linked groups published Nov. 16, Microsoft described eight different cyber operations groups either based in or working in the interests of Iran. Microsoft's naming schemes indicate the groups are Phosphorus, Rubidium, Curium, and five additional groups that designate developing clusters of activity that Microsoft has not yet named.
Microsoft's Threat Intelligence Center noted a few trends in the groups' operations. Iranian-backed groups are increasingly using ransomware, wipers, and other threats to disrupt targets, with six identified groups deploying ransomware during an attack, the company noted. The groups are also becoming more patient and persistent in their operations, especially in social engineering campaigns, but still use credential spraying and other brute-force attacks on their targets, Microsoft stated.
"As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including information operations, disruption and destruction, [and] support to physical operations," Microsoft stated in its analysis.
The level of cyber operations between Iran and the US has increased as Iran has invested in more cyber capabilities and the US has allowed more aggressive actions as part of its Defend Forward policy. Iranian groups have been blamed for attacks including ransomware, disk wipers, mobile malware, phishing attacks, password spraying, the use of mass exploits, and attacks targeting supply chains.
Yet the increase in tensions will likely not deter Iran and could cause its own issues. Russian threat actors, for example, have taken over Iranian infrastructure so attacks would seemingly be coming from Iran. Meanwhile, hacktivists have taken credit for many of the attacks for which Iran blames its rivals.