Iranian Associated Cyber Threats
Global Attacks
September 5, 2024
Over the past few weeks, there has been a significant increase in reported activity associated with Iranian state-sponsored or state-affiliated cyber threat groups. One of these cyber threat actors known as Pioneer Kitten, Fox Kitten, Parisite, RUBIDIUM, and Lemon Sandstorm, was observed targeting US and foreign organizations in various sectors, including education, finance, healthcare, defense, and local government entities. A substantial portion of the organization’s US-centric cyber operations involves gaining and retaining technical access to target networks to carry out future ransomware attacks. The perpetrators provide complete control over domains and administrator credentials to multiple
networks globally.
Additionally, the FBI noted that a significant percentage of Iran-based cyber threat actors associated with the Government of Iran (GOI) are actively collaborating with ransomware affiliates to deploy ransomware against US organizations and conduct computer network exploitation activities to support the GOI. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. Their dual objectives of financial gain and espionage underscore the need for heightened international cooperation and the implementation of robust defense strategies.
Furthermore, APT 42, also known as Charming Kitten and associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), was attributed to targeting former members of both the Trump and Biden administrations. In June, APT 42 successfully breached the Trump
campaign, stealing internal campaign documents and distributing them to news organizations. Recent observations by US intelligence agencies highlighted Iran’s aggressive efforts to sow discord ahead of the 2024 presidential election. These reports underscore the critical need to counter election deepfakes and promote comprehensive education and awareness regarding possible foreign interference.
Recommendations
- Users are encouraged to educate themselves and others on state-sponsored cyber threats and disinformation campaigns to prevent victimization.
- Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
- Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
- Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Keep systems up to date and apply patches after appropriate testing.
- Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
- Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
- Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
- Regularly perform scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly.
- Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.