Iran-based cyber actors are ramping up their efforts against U.S. targets, from critical infrastructure to election interference.
On August 28, 2024, the Cybersecurity and Infrastructure Agency (CISA), along with the FBI and the Department of Defence Cyber Crime Center (DC3) released a joint cybersecurity advisory (CSA) warning about a group of Iran-based cybercriminals levying ransomware on US organizations. They worked closely with ransomware affiliates like ALPHV (Blackcat) to support encryption operations, locking victim networks, strategizing means of extortion, and providing access to other parties on cyber marketplaces. They found that these cyber actors were acting in the interests of the Government of Iran (GOI), targeting defense networks in the U.S., Israel, Azerbaijan, and the United Arab Emirates - but were not likely sanctioned by the GOI.
This advisory comes in the midst of other concerning cyber activity from Iran. Earlier this month, Donald Trump’s presidential campaign was hacked through a phishing scheme run by an Iranian group associated with the Islamic Revolutionary Guard Corps (IRGC), APT42. Google’s Threat Analysis Group (TAG) wrote a blog about the threat actor group that attempted to infiltrate both presidential campaigns through a dozen personal emails of associated individuals.
A recent CNN review found that their sophisticated phishing emails have run for several years - a former Trump administration official was targeted in 2022 through an email asking for reviews for a manuscript on Iranian and North Korean nuclear programs. A similar setup was used on a Biden administration diplomat in the Middle East this year, asking instead for the receiver for a discussion of the Israel-Palestine situation held by a think tank. Even Roger Stone, a close political confidante of Donald Trump, had his email breached by these hackers, who then used the account to gain access to campaign documents. These intrusions are worrisome because they show that there is a strong, continuous effort to influence the US election and collect more intelligence.
Election interference isn’t the only Iranian state-sponsored cyber threat to the U.S. Recently, Microsoft posted a security blog on Peach Sandstorm. Peach Sandstorm deploys a custom malware they named “Tickler” against many different organizations, including those in the communications, energy and government sectors. The group is remarkably advanced, being persistent in gathering information from LinkedIn for access to critical infrastructure sectors, and exploiting zero-day vulnerabilities. They blend legitimate tools with their malware, and frequently change their attack techniques and infrastructure to avoid being detected.
Elaborate social engineering also plays an important role in the Iranian counterintelligence operation that a recent threat intelligence blog from Google describes. The Iranian group tailored their messages to appear credible and relevant to their targets, which included government officials, journalists, and political dissidents in Iran and abroad. This approach increased the likelihood that targets would click on malicious links or provide sensitive information, allowing them to monitor and potentially disrupt adversaries.
The recent surge in Iran-based cyber activities, ranging from ransomware attacks to election interference, illustrates a multifaceted threat landscape aimed at both espionage and disruption of U.S. interests. The use of sophisticated malware, combined with strategic partnerships with ransomware groups and elaborate social engineering, underscores the complexity and ambition of these efforts and highlights the need for enhanced vigilance and proactive defense strategies.