Iran Based Cyber Actors
Ransomware
August 28, 2024
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a Joint Cybersecurity Advisory to warn network defenders that, as of August 2024, a group of Iran- based cyber threat actors continues to exploit US and foreign organizations. These organizations include several sectors in the US (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates).
The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber threat actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).
The advisory provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities ) that the FBI and CISA published on September 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against US organizations and engagements with numerous entities impacted by this malicious
activity.
The FBI recommends all organizations follow guidance provided in the mitigations section of the advisory to defend against the Iranian cyber threat actors’ activity.
For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.
Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report. If organizations believe they have been targeted or compromised by the Iranian cyber threat actors, the FBI
and CISA recommend immediately contacting your local FBI field office for assistance.
Please do not hesitate to contact us here at cybercc.org with any questions.
Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.