It’s not just stealing confidential data. Cybercriminal activities from state-sponsored actors have evolved, targeting critical infrastructures and demanding ransom from high-net-worth companies. Various threat actor groups are increasingly turning to ransomware as a revenue model by sabotaging the targets.
Microsoft Threat Intelligence Center (MSTIC) recently identified six Iranian hacking groups deploying ransomware and compromising targeted network systems. “Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average,” MSTIC said.
The six Iranian threat actor groups include:
- DEV- 0227
The MSTIC team claimed that they’d observed a steady evolution of the tools, techniques, and procedures of malicious network operators based in Iran. The team recently presented their analysis on Iranian nation-state actor activity at the CyberWarCon 2021.
Notable trends in Iranian nation-state sponsored actors according to MSTIC:
- They are increasingly utilizing ransomware to either collect funds or disrupt their targets.
- They are more patient and persistent while engaging with their targets.
- While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.
Iranian operators can:
- Deploy ransomware
- Deploy disk wipers
- Deploy mobile malware
- Conduct phishing attacks
- Conduct password spray attacks
- Conduct mass exploitation attacks
- Conduct supply chain attacks
- Cloak C2 communications behind legitimate cloud services
The operators have targeted several international organizations by exploiting unpatched vulnerabilities and performing widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.
“As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor,” MSTIC added.
Threats from Iran Hackers Continue
Cyberattacks from Iran-based hackers continue to evolve. Recently, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) jointly released a cybersecurity advisory cautioning active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by an Iranian state-sponsored advanced persistent threat (APT) group.