August 29, 2024 at 04:42AM
Iranian state-sponsored hackers collaborate with ransomware groups to target US organizations since 2017. In a joint advisory, CISA, FBI, and DC3 state that the hackers assist the groups by providing network access for data encryption and extortion, receiving a ransom percentage. The hackers are associated with Pay2Key attacks, targeting Israel-based cyber infrastructure.
From the provided meeting notes, it’s clear that Iranian state-sponsored hackers are collaborating closely with ransomware groups to carry out unauthorized access to networks of various organizations in the United States and other countries. This collaboration involves providing access for data encryption and extortion and includes affiliations with ransomware groups such as NoEscape, RansomHouse, and Alphv/BlackCat.
The threat actors, known as Lemon Sandstorm, have been observed engaging in cyber activities that go beyond ransomware attacks, including computer network exploitation in support of the Government of Iran. Specifically, Lemon Sandstorm was associated with the 2020 Pay2Key attacks, which appeared to be an information operation aimed at undermining the security of Israel-based cyber infrastructure.
Additionally, there is a mention of a suspected Iran-nexus counterintelligence operation targeting Iranians and domestic threats, as well as Iran-linked Peach Sandstorm’s use of a new custom backdoor, as shared by Mandiant and Microsoft, respectively.
The joint advisory from CISA, the FBI, and the Department of Defense Cyber Crime Center (DC3) has shed light on these activities, and it’s worth noting that the FBI has also previously reported Iranian hackers targeting WhatsApp accounts of staffers in the Biden and Trump administrations, as well as disrupting Iranian hacking activity targeting the US presidential election.
Furthermore, there are references to Iranian hackers’ cyberattacks in Albania and their prolonged presence in a government network.
Overall, these meeting notes highlight the ongoing and multifaceted cyber activities conducted by Iranian state-sponsored hackers, shedding light on their collaboration with ransomware groups and various cyber operations aimed at different targets.