Cybersecurity

Officials warn that hackers linked to Iranian government are targeting critical sectors

The Iranian flag is seen in this June 10, 2021, file photo.

Federal agencies in the United States, United Kingdom and Australia on Wednesday warned that hackers linked to the Iranian government are behind an ongoing campaign targeting critical infrastructure, including hospitals. 

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.K.’s National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC) outlined the malicious activity in a joint advisory. 

The agencies noted that the hackers had targeted “a broad range of victims across multiple U.S. critical infrastructure sectors” since at least March of this year, often through exploiting vulnerabilities in devices from cybersecurity group Fortinet and Microsoft Exchange ProxyShell to launch ransomware attacks.

The Iranian-linked advanced persistent threat group (APT) was specifically found to be targeting the U.S. health and transportation sectors, including a hospital specializing in children’s care in July, and to have gone after a domain for a U.S. municipal government in May.

The ACSC has also seen the hackers target victims in Australia. 

“FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors,” the advisory reads. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

The advisory was released the day after Microsoft’s Threat Intelligence Center shared new findings on Iranian hacking activity. Researchers noted that Iranian hackers were “increasingly utilizing ransomware to either collect funds or disrupt their targets,” including through the same targeting of Fortinet vulnerabilities and Microsoft Exchange Servers vulnerable to ProxyShell that the advisory addressed.

CISA in August issued an alert urging organizations to immediately patch ProxyShell vulnerabilities. 

Iran has long been viewed as one of the most high-profile and prolific nation states posing a threat to the U.S. in cyberspace. 

In recent months, Iranian government-linked hackers have gone after medical researchers in the U.S. and Israel, and in October Microsoft released findings indicating that Iran was behind the targeting of U.S. and Israeli defense companies.