Iranian state-sponsored hackers are working closely with ransomware groups on monetizing unauthorized access to the networks of organizations in the United States and elsewhere, the US government says.
Following the compromise of organizations in the defense, education, finance, government, and healthcare sectors, the hackers, operating on behalf of the Iranian government, provide ransomware groups with access to the victims’ networks to facilitate data encryption and extortion.
“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims,” CISA, the FBI, and the Department of Defense Cyber Crime Center (DC3) note in a joint advisory (PDF).
Without disclosing their Iran-based location to their contacts, these threat actors are collaborating directly with ransomware affiliates to deploy file-encrypting malware and receive a percentage of the ransom payments.
Targeting US-based organizations since at least 2017, the threat actors call themselves Br0k3r and Xplfinder. The cybersecurity community tracks the cluster of activity as Lemon Sandstorm, Fox Kitten, Parisite, Pioneer Kitten, Rubidium, and UNC757.
The advanced persistent threat (APT) actor has been observed compromising the networks of financial institutions, municipal governments, schools, and healthcare facilities in the US, while also targeting organizations in Azerbaijan, Israel, and the United Arab Emirates.
Lemon Sandstorm, CISA, the FBI, and DC3 say, has been observed collaborating with ransomware groups such as NoEscape, RansomHouse, and Alphv/BlackCat.
“The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan),” the joint advisory reads.
According to the FBI, Lemon Sandstorm was also responsible for the 2020 Pay2Key attacks, in which the threat actor compromised organizations, stole their data, and then named victims on a Tor-based leaks site, in an apparent attempt to influence them into paying a ransom.
“The FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure,” the advisory reads.
The US government’s joint advisory came out the same day that Mandiant published a report on a suspected Iran-nexus counterintelligence operation targeting Iranians and domestic threats, and Microsoft shared details on Iran-linked Peach Sandstorm’s use of a new custom backdoor.
Related: Iranian Hackers Targeted WhatsApp Accounts of Staffers in Biden, Trump Administrations, Meta Says
Related: Google Disrupts Iranian Hacking Activity Targeting US Presidential Election
Related: Albanian Authorities Accuse Iranian-Backed Hackers of Cyberattack on Institute of Statistics
Related: Iranian Hackers Lurked for 8 Months in Government Network
