A joint cybersecurity advisory (CSA) by the FBI, CISA and DC3 warns of Iranian hackers partnering with ransomware gangs to target US organizations and sell network access to cyber criminals.
According to United States Federal authorities, Iranian-backed state-sponsored threat actors are collaborating with ransomware gangs to launch cyber attacks against U.S. and global organizations including those in critical sectors like education, healthcare, and defence.
The new wave of cyberattacks from Iranian hackers has initiated a joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3).
According to the advisory, these Iranian groups are not simply conducting typical cyber espionage for the Iranian government. They are also actively developing network access within organizations and then collaborating with ransomware gangs like NoEscape, Ransomhouse, and ALPHV (aka BlackCat) to deploy devastating attacks.
This “access-as-a-service” (AaaS) model allows the ransomware groups to bypass initial security hurdles, leading to the compromise of targeted systems.
The FBI has linked these Iranian actors to the Iranian government, noting that their activities extend beyond ransomware collaboration to include the theft of sensitive technical data from organizations in countries like the United Arab Emirates, Israel and Azerbaijan.
The CSA further highlights that these Iran-based actors are leveraging their access to infiltrate networks and then selling that access to ransomware affiliates. This novel tactic allows them to conduct cyber espionage, steal sensitive information, and then inflict crippling financial losses through ransomware attacks.
This never-before-seen strategy may blur the lines between state-sponsored hacking and traditional cybercrime, making it difficult for authorities to pinpoint the perpetrators.
“This is a very interesting scenario where state-sponsored actors are linking up with cybercrime gangs to maximize damage,” says William Wright, CEO of Closed Door Security. “When these nation-state actors gain access to critical networks, their key motive will be cyber espionage and gaining access to sensitive information, but they then take things a step further by selling their access on to ransomware groups, causing catastrophic damage to the target and also blurring the attack path so it is much harder to identify the culprit.”
The joint advisory also provides detailed information on the tactics, techniques, and procedures (TTPs) employed by these Iranian groups, along with indicators of compromise (IoC) to help organizations detect and respond to possible threats.
The agencies urge all organizations, especially those in the targeted sectors, to review the advisory carefully and take immediate steps to maintain their cybersecurity measures.
RELATED TOPICS
- Iranian Hackers Posed as Israelis in LinkedIn Phishing Attack
- FIN7 Cybercrime Gang Evolves with Ransomware, Hacking Tools
- Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware
- Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector
- Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices
