Iranian government-sponsored hackers are actively targeting a “broad range of victims” across multiple US sectors, including transportation and health care, and in some cases have deployed ransomware against those victims, US federal agencies and their counterparts from the United Kingdom and Australia warned on Wednesday.
It’s a rare case of the US government publicly linking Iran with ransomware, which is typically used by cybercriminals rather than governments. And it’s a reminder that America’s ransomware problem is not limited to Russia.
The Iranian hackers are exploiting known flaws in software made by Microsoft and California-based vendor Fortinet to access systems and at times lock them up with ransomware, according to the advisory from the FBI, US Cybersecurity and Infrastructure Security Agency, Australian Cyber Security Centre and the UK’s National Cyber Security Centre.
“These Iranian government-sponsored … actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the advisory states.
The Health Information Sharing and Analysis Center, a cyber threat sharing group for big US health care providers, said it would quickly share the US government advisory with its members.
“We’re taking it very seriously,” Errol Weiss, the group’s chief security officer, told CNN. “I would have loved a chance to work on this with the government before it came out.”
It is unclear which US health and transportation sectors were targeted by the hackers; federal officials do not typically publicly name hacking victims. The hackers appear to be focusing on exploiting the software flaws, rather than picking specific sectors to target, officials said.
Health care organizations have been strapped for resources, including cybersecurity services, throughout the coronavirus pandemic. But ransomware attacks – often from criminal groups based in Eastern Europe and Russia – on those organizations have only increased, according to tallies of attacks from private-sector experts.
The Iranian government’s alleged dabbling in ransomware, however, has received less public attention. But private-sector researchers have in recent months detailed Iran-linked hackers alleged use of ransomware, warning that hacks of companies in Israel and elsewhere are meant to disrupt business operations and intimidate victim organizations rather than recover actual ransom payments.
In the last 14 months, at least six Iranian hacking groups have used ransomware to “achieve their strategic objectives,” Microsoft researchers said Tuesday. “These ransomware deployments were launched in waves every six to eight weeks on average.”
One suspected Iranian group posed as ransomware operators while conducting disruptive hacks of Israeli organizations this year, according to SentinelOne, another cybersecurity firm.
“[R]ansomware activities provide deniability, allowing states to send a message without taking direct blame,” SentinelOne concluded.
This is the second US advisory about Iranian hacking activity in as many weeks. The FBI on November 8 privately warned US companies, in a memo obtained by CNN, that Iranian operatives have searched cybercrime forums for sensitive data stolen from American organizations that could be useful in future hacking campaigns.