"Over the past three months, authorities have issued warnings about connections between various Iranian threat groups and several significant cybersecurity incidents, including multiple ransomware attacks and a sophisticated social-engineering scheme targeting various groups and individuals.
While not at the same level as Russia and China, Iran’s cyber capabilities have increased and improved over the years. Threat groups associated with the country’s government have demonstrated the ability to conduct destructive operations as well as cyber-espionage campaigns.
Since July, Iranian cyber groups have been linked to several significant cybersecurity incidents, including:
- A large-scale ransomware attack first detected in July targeted infrastructure within Albania’s government, which led the country (a NATO member) to cut diplomatic ties with Iran. On Sept. 21, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint statement attributing the attack to a group linked to Iran’s government, noting the incident involved “a ransomware-style file encryptor and disk wiping malware.”
- In September, the U.S. Attorney’s Office in New Jersey unsealed an indictment that charged three Iranian nationals with attacking “hundreds” of networks inside and outside the U.S., including health care organizations and government entities and trying to extort victims using ransomware.
- Also in September, security firm Proofpoint detailed a sophisticated social-engineering campaign allegedly tied to Iran’s Revolutionary Guard Corps. In this case, attackers spoofed email addresses associated with legitimate organizations to target individuals to gather intelligence on a range of topics, including nuclear arms control.
In the case of social-engineering campaigns, researchers concluded the operation is tied to an Iranian state-sponsored threat actor that the company calls TA453, which is also known by the names Charming Kitten or APT42. What made this campaign unusual is that the spear-phishing emails used multiple fake personas to help make the message seem more legitimate.
This type of campaign shows Iran is deploying even more complex and intricate techniques to help disguise its motivations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint."