Hackers With Links to Iran's Government Targeting U.S. With Ransomware Attacks

The Iranian government was linked to hackers who have been targeting a "broad range of victims" in the U.S. with ransomware and other methods, according to an advisory released Wednesday by American, British and Australian officials.

Though public awareness and concern over ransomware attacks has grown in recent months, most of the major attacks have been connected to criminal hacker groups based in Russia rather than hackers from Iran.

The advisory said that when hackers have uncovered computer vulnerabilities in recent months, Iran has taken advantage of those lapses before they can be fixed to target entities in the transportation, health care and public health sectors. On top of deploying ransomware in the hacking operations, the attackers also use data exfiltration and extortion against their targets, officials said.

Companies like Microsoft have also noted the reported Iranian ransomware. In a blog post published Tuesday, the Microsoft Threat Intelligence Center (MSTIC) said that it has been monitoring "a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran" over the past year.

MSTIC said in the post that it has seen six different Iran-based groups deploying ransomware since last year. One of those groups commonly uses interview requests, fake conference invitations, and fake identities as think tank officials in Washington, D.C. as a cover while trying to establish rapport with their designated targets, the Associated Press reported.

Once they build rapport, they attempt to target victims with spear-phishing campaigns and can be extremely persistent in their efforts, said MSTIC member James Elliott

"These guys are the biggest pain in the rear. Every two hours they're sending an email," Elliott said at the Cyberwarcon cybersecurity conference Tuesday.

For more reporting from the Associated Press, see below.

Ransomware Attacks on U.S.
An advisory issued by officials in the United States, United Kingdom and Australia warns that hackers linked to the Iranian government have been targeting a “broad range of victims” inside the U.S. with ransomware and other malicious cyber activity. Above, the Homeland Security Department headquarters are seen in northwest Washington on Feb. 25, 2015. Manuel Balce Ceneta/AP Photo

Earlier this year Facebook announced it had found Iranian hackers using "sophisticated fake online personas" to build trust with targets and get them to click on malicious links and often posed as recruiters of defense and aerospace companies.

Researchers at the Crowdstrike cybersecurity firm said they and competitors began seeing this type of Iranian activity last year.

The Iranian ransomware attacks, unlike those sponsored by North Korea's government, are not designed to generate revenue so much as for espionage, to sow disinformation, to harass and embarrass foes—Israel, chief among them—and to essentially wear down their targets, Crowdstrike researchers said at the Cyberwarcon event.

"While these operations will use ransom notes and dedicated leak sites demanding hard cryptocurrency, we're really not seeing any viable effort at actual currency generation," Crowdstrike global threat analysis director Kate Blankenship said.

Crowdstrike considers Iran to be the trendsetter in this novel "low form" of cyberattack, which typically involves paralyzing a network with ransomware, stealing information and then leaking it online. The researchers call the method "lock and leak." It is less visible, less costly and "provides more room for deniability," Blankenship said.

Iran Linked to Ransomware Attacks
The Iranian government was linked to hackers who have been targeting a “broad range of victims” in the U.S. with ransomware and other methods, according to an advisory released Wednesday by American, British and Australian officials. Above, Attorney General Merrick Garland listens during a news conference over ransomware cyberattacks, at the Department of Justice, in Washington, DC on November 8, 2021. Olivier Douliery/AFP via Getty Images