The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC) outlined the malicious activity in a joint advisory.
The agencies noted that the hackers had targeted “a broad range of victims across multiple US critical infrastructure sectors” since at least March of this year, often through exploiting vulnerabilities in devices from cybersecurity group Fortinet and Microsoft Exchange ProxyShell to launch ransomware attacks.
The Iranian-linked advanced persistent threat group (APT) was specifically found to be targeting the US health and transportation sectors, including a hospital specializing in children’s care in July, and to have gone after a domain for a US municipal government in May.
The ACSC has also seen the hackers target victims in Australia.
“FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors,” the advisory reads.
“These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.
The advisory was released the day after Microsoft’s Threat Intelligence Center shared new findings on Iranian hacking activity. Researchers noted that Iranian hackers were “increasingly utilizing ransomware to either collect funds or disrupt their targets”, including through the same targeting of Fortinet vulnerabilities and Microsoft Exchange Servers vulnerable to ProxyShell that the advisory addressed.
CISA in August issued an alert urging organizations to immediately patch ProxyShell vulnerabilities.
Iran has long been viewed as one of the most high-profile and prolific nation states posing a threat to the US in cyberspace.
Reports claim, in recent months, Iranian government-linked hackers have gone after medical researchers in the US and Israel, and in October Microsoft released findings indicating that Iran was behind the targeting of US and Israeli defense companies.
In late October, the head of the Passive Defense Organization of Iran stated the United States and the Israeli regime were behind the recent cyberattack on Iran’s gas stations.
“We analyzed two incidents; one of them was the attack on Shahid Rajaee port, and the other the attack on the railways,” said Brigadier General Gholamreza Jalali in a televised interview.
“The two were similar [to the cyberattack on gas stations] in terms of the model of the attack,” he added.
“We believe the masterminds of those cyberattacks are definitely our enemies, i.e., the Americans and the Zionist regime [of Israel],” the top general noted.
However, he added, “We are reviewing technical information and cannot express our final viewpoint now.”
“When somebody wants to attack you at the middleware or hardware level, they should be able to infiltrate into, and have access to the information in the embedded system,” he explained.