To protect themselves from Iranian hackers who are targeting firms and key infrastructure with ransomware, US officials are advising businesses to back up their data, update software, and deactivate hyperlinks in staff emails.
An Iran-sponsored organization has been labeled a serious threat to cyber security by law enforcement agencies in the United States, the United Kingdom, and Australia, according to a joint statement.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in an advisory that they have identified continuous hostile cyber activities by an advanced persistent threat (APT) organization linked to the Iranian government.
"This Iranian government-sponsored APT has been detected exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to obtain initial access to computers in advance of follow-on activities, which include spreading ransomware," the CISA stated late Wednesday in a statement.
The coalition said after exploiting the software holes, the hackers conduct "follow-on operations" such as ransomware, extortion, and data theft to further undermine their victims, which have included U.S. transportation and healthcare companies as well as unnamed Australian entities.
The group has targeted "a wide spectrum of victims across numerous U.S. critical infrastructure sectors, including transportation and healthcare and public health, as well as Australian organizations," according to the advice.
Microsoft released research earlier this week revealing an increase in activity by Iranian-based entities that are "increasingly leveraging ransomware to either collect revenue or damage their targets."
Given that most ransomware groups are criminal syndicates, the fact that the hacking groups are thought to be linked to Iran's government is important,
As per the advice, "these Iranian government-sponsored APT actors can use this access for follow-on operations such data exfiltration or encryption, ransomware, and extortion."
Over the last two years, the U.S. has detected a number of foreign ransomware assaults, most notably the Ryuk and Darkside gangs, which officials have linked to Russia but not to the Russian government.
In a report, Radio Free Europe said Ryuk planned a number of attacks against U.S. healthcare organizations and facilities during the peak of the coronavirus pandemic, delaying potentially life-saving treatments for patients.
Darkside has been linked to the Colonial Pipeline ransomware breach in May this year, U.S. investigators said.
The Biden administration has imposed penalties on Russia earlier this year as a response to the SolarWinds computer hack, which began in 2020 when malicious code was hidden in updates to popular software that monitors commercial and government computer networks.
