The government of Iran is reportedly working hand-in-hand with ransomware gangs in a series of attacks targeting organizations in the U.S., Israel, Azerbaijan, and the United Arab Emirates. This alarming development was detailed in a recent advisory released by U.S. federal agencies, including the FBI, the Department of Defense, and the Cybersecurity and Infrastructure Security Agency (CISA).
As of August, Iranian cyber actors have consistently targeted critical sectors such as education, finance, healthcare, defense, and government entities. According to the advisory, these attacks are part of a broader strategy aimed at gaining and maintaining access to networks, which they then collaborate with ransomware affiliates to exploit. The objective is often to deploy ransomware and extract ransom payments from victims.
These cyber activities have been directly attributed to hackers associated with the Iranian government. In addition to ransomware campaigns, these actors are conducting a more extensive operation aimed at stealing sensitive technical data, particularly from organizations in Israel and Azerbaijan. This information has been compiled from numerous entities affected by these malicious activities.
The group in question has been active since 2017 and is recognized in the private sector under various names, including Pioneer Kitten, Rubidium, and Lemon Sandstorm. Over the years, there have been numerous reports suggesting that Iranian actors either used ransomware themselves or partnered with ransomware operations following espionage or intelligence theft operations.
The FBI has observed this group attempting to gain and maintain access to victims’ networks before selling this access on criminal marketplaces. They have collaborated with affiliates of prominent ransomware operations such as NoEscape, Ransomhouse, and AlphV, sharing in the profits from ransom payments. In some instances, the hackers not only sell access but also work directly with ransomware gangs to lock victim networks and strategize on how to extort their victims.
The advisory highlights that these actors often conceal their association with the Iranian government, maintaining a deliberately vague origin. This same group was behind the Pay2Key ransomware operation in 2020, which publicly embarrassed Israeli organizations by sharing stolen data on social media, without any intent to collect ransom payments.
The Iranian cyber activities are often disguised under the cover of a legitimate IT company named Danesh Novin Sahand. The attacks typically exploit vulnerabilities in internet-facing assets, with the advisory listing several recent vulnerabilities that have been repeatedly targeted, including flaws in products from cybersecurity firms like Check Point and Palo Alto Networks.
The hackers have shown a particular interest in products from Ivanti, Citrix, and BIG-IP F5, using tools like the Shodan search engine to locate vulnerable devices. Once inside a network, the hackers create accounts, sometimes using aliases like “John McCain,” and proceed to disable antivirus and security software to move undetected. They then collaborate with ransomware affiliates while conducting their own side missions of data theft.
Notably, these actors have also leveraged their access to a victim’s cloud-computing resources to launch further attacks, with evidence of this tactic being used against academic institutions and defense companies. In some cases, previous compromises have been utilized to transmit stolen data from other victims.
The advisory concludes with a call to action, urging organizations to patch several specific vulnerabilities that the group has been known to exploit, including CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519. However, patching alone may not be sufficient. Organizations are encouraged to take additional protective measures and to report any ransomware attacks or cyber incidents to the FBI and CISA, as these agencies are actively gathering information on the tactics, IP addresses, ransom notes, and more used by these threat actors.
This advisory comes at a time of heightened scrutiny of Iran’s cyber activities, particularly in light of recent reports linking Iranian cyber operations to attacks on the campaigns of both former President Donald Trump and President Joe Biden. This is part of a long-standing campaign by Iran targeting both political figures and critical infrastructure across multiple countries.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
