Iranian hackers indicted for attacks on government agencies and critical infrastructure companies
The United States Department of Justice (DOJ) has indicted three Iranian hackers for a campaign of attacks dating back to 2020. The hackers hit targets in the United States as well as other countries, and attacked a wide range of organizations, including critical infrastructure companies. and government agencies.
Iranian hackers are not supported by the state, but allowed to act with impunity
The DOJ notes that the Iranian hackers do not appear to be linked to the Islamic Revolutionary Guard Corps, but accuses Iran of taking a similar stance to Russia in ignoring the actions of its criminal hackers as long as they s stick to attacking the enemy or the rival. nations.
The three hackers (Mansur Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein, 30) appear to have acted on their own for personal gain, but included critical infrastructure companies and agencies government among their targets. Iranian hackers reportedly failed to disrupt critical infrastructure, but targeted utility companies as part of their campaign, as well as local municipal offices in several states.
The hackers appear to be based in Iran, and the complete lack of diplomatic relations between the nations (as well as recent military tensions) means that indictments are unlikely to lead to anything, but they will at least significantly limit the attackers’ ability to travel outside the country. If arrested, the men each face up to 20 years in prison on the various charges brought by the DOJ.
The hacking campaign ran from October 2020 to August 2022 and included hundreds of targets around the world, including dozens in the United States. Iranian hackers seemed to be looking for targets of opportunity with relatively simple or poor cyber defenses, and had no moral qualms about who they were attacking. An example of a US victim presented by the DOJ was a shelter for victims of domestic violence whose systems were compromised in December 2021. The shelter ended up having to pay a ransom of $13,000 in bitcoins to restore its ability to operate. Iranian hackers also attacked a local housing authority in Washington state and threatened to release stolen data, which would likely include information about residents of public or subsidized housing.
Other victims of Iranian hackers include a township in New Jersey, a state bar association, a county government in Wyoming and several accounting firms across the country. In terms of critical infrastructure, threat actors attacked at least two regional electric utility companies in two different states and a Washington construction company that had been contracted to work on critical infrastructure in the state. .
It’s also possible the group played a role in the June 2021 attack on Boston Children’s Hospital. A US Treasury press release says the group penetrated the hospital’s network around this time and were able to steal data and encrypt at least one device with BitLocker ransomware.
In addition to charging the Iranian hackers, the DOJ announced sanctions against two companies they are affiliated with: Najee Technology and Afkar System. These companies appear to have participated in attacks on critical infrastructure companies and have also individually targeted defense and government personnel in the United States and the Middle East. The DOJ announced $10 million in bounties for information leading to 10 people associated with these companies.
Edward Liebig, global cyber ecosystem director at Hexagon Asset Lifecycle Intelligence, notes that these hackers sometimes preyed on smaller fish than ransomware groups usually focus on: “The accusations leveled at Iranian hackers who have operated hundreds of computers in US critical infrastructure space is just another stark reminder that cyber hygiene is critical to our defense against attack. These attacks focus on exploiting known vulnerabilities rather than specific sectors, advancing the management and remediation of frontline assets and vulnerabilities. Victims in the United States would range from power companies to non-profit organizations, all of which must have detailed visibility into their assets in order to effectively protect them from threat actors… Critical infrastructures often rely on outdated technology that is extremely vulnerable to these types of attacks. . Simply put: it is not that difficult for cybercriminals to compromise critical infrastructure systems. The Biden administration’s crackdown on Iranian cybercriminal groups is working and should continue to be a priority, as should urging critical infrastructure operators to strengthen their cyber hygiene quickly and effectively.
Attacks involving critical infrastructure quickly trigger sanctions
These Iranian hackers are not the first targeted by the DOJ for operating in the United States, nor the first to draw sanctions. The involvement of critical infrastructure seems to increasingly warrant that response, as the Biden administration has taken aggressive steps to bolster national defenses since taking office.
The DOJ has periodically issued indictments against Iranian hackers since 2016, when a seven-person team launched a series of attacks on US banks. In 2018, a hacking and espionage network was accused of stealing research and confidential information from more than 100 universities and government agencies. And in 2021, two Iranian hackers were accused of orchestrating a disinformation campaign intended to disrupt the 2020 election.
The United States has also found itself embroiled in a recent spat between Iran and Albania that involves the former pirating the latter. After Iranian hackers caused extensive damage to government systems in a campaign to locate and attack dissidents, Albania called on NATO allies to help investigate and eventually severed diplomatic relations with the country. The Treasury Department announced new sanctions against Iranian intelligence agencies following this investigation.
Austin Berglas, global head of professional services for BlueVoyant, suggests that businesses of all types and sizes should take note that attackers have been tracking vulnerabilities instead of targeting the most lucrative organizations: industries and organizations. Unpatched infrastructure is like leaving your house key under your doormat when you go on vacation. Allowing cybercriminals to exploit publicly available vulnerabilities frees them from having to spend time and resources developing new ways to compromise your environment. BlueVoyant threat intelligence confirms that hackers can start exploiting new vulnerabilities quickly, sometimes within days. For this reason, starting in late 2021, the US Cybersecurity & Infrastructure Security Agency (CISA) now requires regulated government agencies to patch new vulnerabilities within two weeks, and sometimes sooner if there is a serious risk. . Despite the risk, BlueVoyant has found that some organizations are slow to apply patches, many of which take weeks, leaving them vulnerable. »
“The number one concern for companies is to secure their data and credentials to ensure business continuity. The best way to have strong cybersecurity is to have multiple layers of defense, which should be consistently implemented over time. The first step is to understand what is critical in the environment and to build protective walls around this information and the rules for accessing this information. Multi-Factor Authentication (MFA) should be implemented on all accounts, as the vast majority of account compromises will be prevented with this addition. Then, develop a baseline and set alerts for user login patterns to understand what is abnormal or anomalous. Next, organizations need to employ email protection and continuously educate the user base about phishing and other common cyber threats,” Berglas suggested.