U.S. intelligence agencies have warned that the Iranian regime is collaborating with cybercriminal groups to conduct ransomware attacks against organizations in the United States, Israel, Azerbaijan, and the United Arab Emirates.
On Wednesday, August 28, the FBI, the Pentagon’s Cyber Crime Center, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that in recent times, Iran has targeted not only government institutions but also educational, healthcare, and defense sectors in these countries.
The FBI’s assessment indicates that a significant percentage of these Iranian cyber hacking operations have been conducted to gain access to the networks of these institutions through ransomware.
In addition to deploying ransomware, hackers linked to the Iranian regime have pursued extensive campaigns to steal sensitive technical data from Israeli and Azerbaijani institutions.
The three U.S. intelligence agencies based their report on data provided by several organizations that had been affected by these malicious activities.
The findings of these three agencies indicate that hackers linked to Iran either use ransomware themselves or collaborate with prominent ransomware operators in espionage and data theft operations.
U.S. agencies have concluded that hackers associated with Iran, in exchange for assisting in deploying ransomware, receive a share of the information obtained through these cyber traps.
In some cases, hackers have collaborated with ransomware groups that lock victims’ networks and seek to extort them.
Multiple hacking operations targeting Israeli organizations and companies
The report by these three U.S. agencies noted that cyber actors linked to the Iranian regime have been behind multiple hacking operations targeting Israeli organizations and companies over the past four years. The primary motive was not financial extortion but rather to embarrass Israel by sharing the stolen data from these Israeli entities online.
The report mentioned the Iranian technology company “Danesh Novin Sahand,” which it described as a “cover for the cyber activities” of the Iranian regime. According to U.S. agencies, this company exploited vulnerabilities in cybersecurity products such as Check Point or Palo Alto Networks VPN equipment.
Hackers backed by the regime, upon entering the victim’s network and before expanding their infiltration operations and data theft, created a user account under the name “John McCain,” a prominent late U.S. senator.
The hackers disable antivirus programs or security software on the victim’s computer to freely operate within the compromised network without triggering any warnings, allowing them to carry out their intended actions, steal information, and monitor the victim’s activities.
U.S. government cybersecurity experts believe that the hackers typically do not conceal their affiliation with the Iranian regime and deliberately keep the origin of their actions ambiguous.
In their advisory, the three U.S. intelligence agencies wrote that merely addressing the vulnerabilities in the software used on victims’ computers is insufficient for protection. Instead, organizations must take additional measures to protect themselves from these traps and report any ransomware attack or cyber incident.
The U.S. agencies identified four specific vulnerabilities in the software used on computers that need to be addressed.
The report by the three U.S. agencies was released amid renewed attention by U.S. intelligence organizations on Iran’s cyber activities aimed at influencing the upcoming U.S. presidential election.
Microsoft also reported on Wednesday that hacking agents linked to the Islamic Revolutionary Guard Corps (IRGC) have installed malware on computers in the satellite, oil, gas, and communications sectors of the United States and the United Arab Emirates.
The Iranian regime, in its effort to bolster its intelligence capabilities, is increasingly using cyberattacks and, more recently, artificial intelligence.
