FBI: Iran working with ransomware gangs for attacks in US, Azerbaijan, UAE and Israel

The government of Iran is coordinating with ransomware gangs in attacks on organizations in the U.S., Israel, Azerbaijan and the United Arab Emirates, according to an advisory published Wednesday by U.S. federal agencies.

The FBI, Defense Department and Cybersecurity and Infrastructure Security Agency (CISA) said that as of August, Iranian threat actors continue to target the education, finance, healthcare, and defense sectors in addition to government entities.

“The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the agencies said. 

The activity was specifically tied to hackers associated with the government of Iran, and the advisory notes that separate from the ransomware activity is a wider campaign to steal “sensitive technical data” from organizations in Israel and Azerbaijan. 

The information in the advisory was compiled from “numerous entities impacted by this malicious activity,” according to the agencies. This specific group of Iranian actors has targeted U.S. organizations since 2017 and is known in the private sector by a variety of names including Pioneer Kitten, Rubidium and Lemon Sandstorm. 

The advisory builds upon years of reports claiming Iranian actors were either using ransomware themselves or partnering with ransomware operations following espionage or intelligence theft operations. 

Read More: Iran cyber operations exposed in reports from Google, Microsoft

The FBI said it has seen the group attempt to gain and maintain access to a victim’s network before trying to sell their access to organizations on criminal marketplaces. 

The actors have partnered with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments. The Iranian group is not just selling access to victim networks, according to the FBI. In some cases the hackers have worked with ransomware gangs to “lock victim networks and strategize on approaches to extort victims.” 

The attackers typically hide the fact that they are working for the government of Iran, the advisory notes, and are “intentionally vague” about their origin. 

The agencies said that this same group was behind the Pay2Key ransomware operation in 2020 — publicizing their attacks on social media and attempting to share data stolen from Israeli organizations. 

The goal of Pay2Key was not ransom payments but to embarrass Israeli organizations, according to the FBI. 

'John McCain'

An Iranian IT company named Danesh Novin Sahand is used as cover for the cyber activity and most attacks relied upon the exploitation of internet-facing assets. 

The agencies listed several recent vulnerabilities and products the hackers have repeatedly targeted, including CVE-2024-24919, which affects products from cybersecurity firm Check Point, and CVE-2024-3400 — a widely publicized bug affecting Palo Alto Networks VPN devices. 

The group has long targeted products from Ivanti, Citrix and BIG-IP F5, using the Shodan search engine to find vulnerable devices. 

Once inside a victim’s network, the hackers create accounts before trying to increase their privileges and access more of the network. In at least one instance, the hackers created an account with the name “John McCain” in reference to the late U.S. senator.

The hackers disable antivirus and security software or try to obtain security exemptions in an effort to move freely through a network without tripping any alarms. 

From there, they partner with ransomware affiliates while conducting their own side missions of stealing sensitive data. 

The hackers also have been seen leveraging their access to a victim’s cloud-computing resources as cover to launch other attacks, with the FBI noting that it has seen this specific piece of tradecraft used against academic institutions and defense companies. 

In some cases the actors are using previous compromises as a way to transmit stolen data from other victims. 

Both CISA and the FBI said organizations need to specifically patch four vulnerabilities the group has been seen scanning for: CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519.

But that alone is probably not enough to protect victims, the advisory notes, adding that organizations should take a range of other actions to protect themselves. Any ransomware attacks or cyber incidents should be reported to the FBI and CISA, the agencies said, because both are eager to gain more information on tactics, IP addresses, ransom notes, bitcoin wallets, decryptor files and more. 

The advisory comes amid a renewed focus on Iran’s cyber activity in light of recent alleged operations against the campaigns of both presidential candidates. CNN reported on Wednesday that the recent incidents are part of a years-long campaign targeting both former President Donald Trump and President Joe Biden.