Iranian Threat Actors Ramp Up Ransomware, Cyber Activity

As US government agencies warn of Iran-based threat actor activity, how can enterprise leaders manage their risks?

Carrie Pallardy, Contributing Reporter

November 5, 2024

7 Min Read
Panther Media GmbH via Alamy Stock Photo

This summer, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint advisory on Iran-based threat actors and their role in ransomware attacks on organizations in the US and other countries around the globe.  

With the US presidential election coming to a close, nation state activity from Iran could escalate. In August, Iranian hackers compromised Donald Trump’s presidential campaign. They leaked compromised information and sent stolen documents to people involved in Joe Biden’s campaign, CNN reports.  

What are some of the major threat groups associated with Iran, and what do cybersecurity stakeholders need to know about them as they continue to target US organizations and politics?  

Threat Groups 

A number of advanced persistent threat (APT) groups are affiliated with the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces. “[Other] relatively skilled cyber threat actor groups … maintain arm’s distance length from the Iranian government,” says Scott Small, director of cyber threat intelligence at Tidal Cyber, a threat-informed defense company. “But they're … operating pretty clearly on behalf [of] or aligned with the objectives of the Iranian government.”  

Related:2024 Cyber Resilience Strategy Report: CISOs Battle Attacks, Disasters, AI ... and Dust

These objectives could be espionage and information collection or simply disruption. Hack-and-leak campaigns, as well as wiper campaigns, can be the result of Iranian threat actor activity.  And as the recent joint advisory warns, these groups can leverage relationships with major ransomware groups to achieve their ends.  

“Look at the relationships [of] a group like Pioneer Kitten/Fox Kitten. They're partnering and collaborating with some of the world's leading ransomware groups,” says Small. “These are extremely destructive malware that have been extremely successful in recent years at disrupting systems.” 

The joint advisory highlights Pioneer Kitten, which is also known by such names as Fox Kitten, Lemon Sandstorm, Parisite, RUBIDIUM, and UNC757, among others. The FBI has observed these Iranian cyber actors coordinating with groups like ALPHV (also known as BlackCat), Ransomhouse, and NoEscape. “The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin,” according to the joint advisory.  

Many other threat groups affiliated with Iran have caught the attention of the cybersecurity community. In 2023, Microsoft observed Peach Sandstorm (also tracked as APT33, Elfin, Holmium, and Refined Kitten) attempting to deliver backdoors to organizations in the military-industrial sector.  

Related:Next Steps to Secure Open Banking Beyond Regulatory Compliance

MuddyWater, operating as part of Iran’s Ministry of Intelligence and Security (MOIS), has targeted government and private sector organizations in the oil, defense, and telecommunications sectors.  

TTPs  

The tactics, techniques, and procedures (TTPs) leveraged by Iranian threat actor groups are diverse. Tidal Cyber tracks many of the major threat actors; it has an Iran Cyber Threat Resource Center. Small found the top 10 groups his company tracks were associated with approximately 200 of the MITRE ATT&CK techniques.  

“Certainly, this is just one data set of known TTPs, but just 10 groups being associated with about a third of well-known TTPs, it just demonstrates … the breadth of techniques and methods used by these groups,” he says.  

The two main avenues of compromise are social engineering and exploitation of unpatched vulnerabilities, according to Mark Bowling, chief information, security, and risk officer at ExtraHop, a cloud-native cybersecurity solutions company.  

Social engineering conducted via tactics like phishing and smishing can lead to compromised credentials that grant threat actors system access, which can be leveraged for espionage and ransomware attacks.  

Related:Beyond the Election: The Long Cybersecurity Fight vs Bad Actors

Charming Kitten (aka CharmingCypress, Mint Sandstorm, and APT42), for example, leveraged a fake webinar to ensnare its victims, policy experts in the US, Europe, and Middle East.  

Unpatched vulnerabilities, whether directly within an organization’s systems or its larger supply chain, can also be a useful tool for threat actors.  

“They find that vulnerability and if that vulnerability has not been patched quickly, probably within a week, an exploit will be created,” says Bowling. 

The joint advisory listed several CVEs that Iranian cyber actors leverage to gain initial access. Patches are available, but the advisory warns those will not be enough to mitigate the threat if actors have already gained access to vulnerable systems.  

Potential Victims  

Who are the potential targets of ongoing cyber campaigns of Iran-based threat actors? The joint advisory highlighted defense, education, finance, health care, and government as sectors targeted by Iran-based cyber actors.  

“What is … the case with a lot of nation-state-sponsored threat activity right now, it's … targeting a little bit of anyone and everyone,” says Small.  

As the countdown to the presidential election grows shorter, threat actors could be actively carrying out influence campaigns. This kind of activity is not novel. In 2020, two Iranian nationals posed as members of the far-right militant group the Proud Boys as a part of a voter intimidation and influence campaign. Leading up to the 2024 election, we have already seen the hack and leak attack on the Trump campaign.    

Other entities could also fall prey to Iranian threat actor groups looking to spread misinformation or to simply create confusion. “It's possible that they may target government facilities, state or local government, just to add more chaos to this already divided general election,” says JP Castellanos, director of threat intelligence for Binary Defense, a managed detection and response company.  

Vulnerable operational technology (OT) devices have also been in the crosshairs of IRGC-sponsored actors. At the end of 2023, CISA, along with several other government agencies, released an advisory warning of cyber activity targeting OT devices commonly used in water and wastewater systems facilities.  

In 2023, CyberAv3ngers, an IRGC-affiliated group, hacked an Israeli-made Unitronics system at a municipal water authority in Pennsylvania. In the wake of the attack, screens at the facility read: "You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is CyberAv3ngers Legal Target." 

The water authority booster station was able to switch to manual operations, but the attack serves as an ominous warning.  

“The implications there were pretty clear that something else further could have been done … tampering with the water levels and safety controls, things along those lines,” says Small.  

As the Israel-Hamas war continues, organizations in Israel and allied countries could continue to be targets of attacks associated with Iran.  

The education sector has also seen elevated levels of Iran-based cyber activity, according to Small. For example, Microsoft Threat Intelligence observed Mint Sandstorm crafting phishing lures to target high-profile individuals at research organizations and universities.  

Escalating Threats 

Iran is one of many nation state threat actors actively targeting public and private sector organizations in the US. Russia, North Korea, and China are in the game, too. In addition to politically motivated threat actors, enterprise leaders must contend with criminal groups motivated not by any specific flag but purely by profit.  

“As a cyber defender, how much bandwidth do you have? How many groups can you possibly keep track of? We're always talking about prioritization,” says Small.  

Castellanos points out that Iran is sometimes considered a lower tier threat, but he thinks that is a mistake. “I would strongly recommend to … not treat Iran as something not to worry about,” he warns.  

Enterprise leaders are increasingly pressed to consider geopolitical tensions, the risks their organizations face in that context, and the resources available to mitigate those risks.  

Bowling stresses the importance of investing in talent, processes, and technology in the cybersecurity space.  

“You can have good processes, and you can have good people. But if you don't have the technology that allows you to see the attackers and allows you to respond faster to the attack, then you're not going to be successful,” he says.  

As enterprises continue to combat cyber threats from Iran, as well as other nation states and criminal groups, information sharing remains vital. “That sharing of information [and] intelligence, that's actually what leads to a lot of these alerts being published and then it becomes usable by the rest of the community,” says Small.

About the Author

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights