Iranian State Actors Conduct Cyber Operations Against the Government of Albania

09/21/2022 10:16 AM EDT

Original release date: September 21, 2022

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Iranian State Actors Conduct Cyber Operations Against the Government of Albania, detailing malicious cyber operations that included ransomware and disk wiper, rendering websites and services unavailable. The advisory indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, periodically accessing and exfiltrating email content.

Joint CSA: Iranian State Actors Conduct Cyber Operations Against the Government of Albania outlines tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) likely used by Iranian state cyber actors as recently as July 2022. CISA and FBI encourage users and administrators to review the advisory and apply the recommended mitigations to limit the risk of compromise. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

09/14/2022 10:33 AM EDT

Original release date: September 14, 2022

CISA, Federal Bureau of Investigation (FBI), National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), Department of the Treasury, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC) have released a joint Cybersecurity Advisory (CSA), Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. This advisory updates previous joint reporting from November 2021, to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies now assess are associated with the Iranian Islamic Revolutionary Guard Corps (IRGC).

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

  • Patch all systems and prioritize remediating known exploited vulnerabilities.
  • Enforce multifactor authentication (MFA).
  • Secure Remote Desktop Protocol (RDP) and other risky services.
  • Make offline backups of your data.

See Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations and joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities for information on these Iranian government-sponsored APT actors’ tactics and techniques, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

For more information on state-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations

02/24/2022 11:00 AM EST

Original release date: February 24, 2022

CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. 

MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. 

CISA encourages users and administrators to review the joint CSA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

FBI Releases PIN on Iranian Cyber Group Emennet Pasargad

01/27/2022 10:14 AM EST

Original release date: January 27, 2022

The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) that provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures to enable readers to identify and defend against the group’s malicious cyber activities.

CISA encourages users and administrators to review FBI PIN: Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad and apply the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CNMF Identifies and Discloses Malware used by Iranian APT MuddyWater

01/12/2022 03:34 PM EST

Original release date: January 12, 2022

U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. According to CNMF, “MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.” U.S. Cyber Command has released malware samples attributed to MuddyWater to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review U.S. Cyber Command’s press release, Iranian intel cyber suite of malware uses open source tools, as well as their VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities

11/17/2021 09:00 AM EST

Original release date: November 17, 2021

CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)  have released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran.  FBI and CISA have observed this Iranian government-sponsored APT exploit Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.

Joint Cybersecurity Advisory AA21-321A provides observed tactics and techniques, as well as indicators of compromise that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity. FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors. 

CISA also recommends reviewing its Iran Cyber Threat Overview and other Iran-related Advisories.

This product is provided subject to this Notification and this Privacy & Use policy.