Iran-backed Hackers Target Key US Sector

Iran-backed Hackers Target Key US Sector

Hackers with connections to the Iranian government are targeting 'various victims' within the United States (US), one of which is by distributing ransomware. This was conveyed by the US, UK and Australian government advisory bodies.

Ummatimes - On Thursday, the advisory body said in recent months Iran had exploited computer vulnerabilities that hackers exposed before fixing them. The Iranian-backed hack is said to have targeted key entities in the transport, medical and public health sectors. Hackers take advantage of the initial attack for later operations such as data exfiltration, ransomware, and extortion.

The agency said in Australia hackers used a vulnerability in Microsoft Exchange. This warning is important because while ransomware attacks are common in the US, in recent times most attacks have been linked to criminal groups based in Russia, not Iranian hackers.

The government is not the only one aware of the activities of Iranian hackers. On Tuesday (16/11) the tech giant Microsoft also announced that since last year it had been monitoring six different groups in Iran for spreading ransomware.

Microsoft says one group spent a lot of time and energy building relationships with victims before attacking them with spear-phishing. The group uses invitations to interviews and meetings and often disguises itself as top think-tank officials in Washington.

Microsoft Threat Intelligence Center member James Elliot said after Iranian hackers managed to establish a relationship with a victim, they would send a link and force the victim to click on the link. "These people are the most troublesome these days, every two hours they send an email," Elliot said at the Cyberwarcon cybersecurity conference last Tuesday.

Earlier this year Facebook announced Iranian hackers were using a "fake online personality dazzle" to build trust in victims until the victim clicks on the link the hacker sends. They usually disguise themselves as job recruiters from defense and space companies.

Cybersecurity firm Crowdstrike said it and other companies had been looking at this type of Iranian activity since last year. Iran's ransomware attack is unlike the North Korean government's because it's not designed to generate as much revenue as possible. Crowdstrike researchers say the attacks are carried out to spy, leak information, harass and humiliate adversaries like Israel, and essentially to weaken their targets.

"While these operations will use ransom notes and leak solicitation of cryptocurrencies, we don't see any genuine effort to produce the actual currency," said Crowdstrike director of global threat analysis Katie Blankenship.

Crowdstrike accuses Iran of being the originator of this trend of 'low-level' cyberattacks, which usually cripple networks with ransomware, steal information and leak it on the internet. Researchers call it the lock and leak method.

Blankenship says these attacks are less visible and inexpensive. "(And) make room for denial," he added.