US says Iran-backed hackers are now targeting organizations with ransomware

The U.S. government, along with counterparts in Australia and the U.K., have warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors — in some cases with ransomware.

The rare warning linking Iran with ransomware landed in a joint advisory Wednesday, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC) and the U.K.’s National Cyber Security Centre (NCSC).

The advisory said that Iran-backed attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment.

In May this year, for example, the hackers abused Fortigate gear to access a web server hosting the domain for a U.S. municipal government. The following month, CISA and the FBI observed the hackers exploiting Fortinet vulnerabilities to access the networks of a U.S.-based hospital specializing in healthcare for children.

The joint advisory has been released alongside a separate report from Microsoft on the evolution of Iranian APTs, which are “increasingly utilizing ransomware to either collect funds or disrupt their targets.” In the report, Microsoft said it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data in attacks that started in September 2020.

Microsoft singles out one particularly “aggressive” group it calls Phosphorus, also known as APT35, which the company has been tracking for the past two years. While it previously used spear-phishing emails to lure victims, including presidential candidates during the 2020 U.S. election, Microsoft says the group is now employing social engineering tactics to build rapport with their victims before using BitLocker, a full-disk encryption feature built into Windows, to encrypt their files.

CISA and the FBI are urging organizations to take a series of actions to mitigate the threats posed by the Iranian attackers, including updating operating systems, implementing network segmentation and using multi-factor authentication and strong passwords.