Researchers from Microsoft Threat Intelligence Center (MSTIC) Reported that atleast since September 2020 they had discovered six Iranian threat groups associated with the West Asian Country deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.
Nation-state actors with ties to Iran are increasingly using ransomware to generate revenue and deliberately sabotage their targets, in addition to patient and persistent social engineering campaigns and aggressive brute force attacks.
Three significant trends in Iranian nation-state actors have emerged:
- They are increasingly using ransomware to either steal money or disrupt their targets.
- When engaging with their targets, they are more patient and persistent.
- While Iranian operators have become more patient and persistent in their social engineering campaigns, they continue to use aggressive brute force attack
Phosphorus is otherwise known as APT35 is a threat actor that has been discovered scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers in order to gain initial access and persistence on vulnerable networks before moving on to deploy additional payloads that allow the actors to pivot to other machines and deploy ransomware.
Another strategy in the playbook is to use a network of fictitious social media accounts, including posing as attractive women, to gain trust from targets over time and then deliver malware-laced documents that allow data exfiltration from victim systems. Both Phosphorus and a second threat actor known as Curium have been observed using such “patient” social engineering techniques to compromise their targets.
Specifically, Iranian operators have proven themselves to be both willing and able to:
Deploy disk wipers
Deploy mobile malware
Conduct phishing attacks
Conduct password spray attacks
Conduct mass exploitation attacks
Conduct supply chain attacks
Cloak C2 communications behind legitimate cloud services
The agencies said in a joint bulletin issued Wednesday.”These Iranian government-sponsored APT actors can use this access for subsequent operations such as data exfiltration or encryption, ransomware, and extortion.” .
The findings are particularly significant in light of a new alert issued by cybersecurity agencies in Australia, the United Kingdom and the United States warning of an ongoing wave of intrusions carried out by Iranian government-sponsored hacking groups using Microsoft Exchange ProxyShell and Fortinet vulnerabilities.
Furthermore, hacker groups have demonstrated the ability to adapt and shape-shift based on their strategic goals and tradecraft, evolving into “more competent threat actors” proficient in disruption and information operations by conducting a variety of attacks, including cyber espionage, phishing and password spraying attacks, employing mobile malware, wipers and ransomware, and even carrying out supply chain attacks.