Iran-backed hackers accused of targeting US with ransomware, other cyber threats

Hackers linked to the Iranian government have been targeting a "broad range of victims" inside the United States, including by deploying ransomware, according to an advisory issued Wednesday by American, British and Australian officials.

The advisory says that in recent months, Iran has exploited computer vulnerabilities exposed by hackers before they can be fixed and targeted entities in the transportation, health care and public health sectors. The attackers leveraged the initial hack for additional operations, such as data exfiltration, ransomware and extortion, according to the advisory. The group has used the same Microsoft Exchange vulnerability in Australia, officials say.

The warning is notable because even though ransomware attacks remain prevalent in the U.S., most of the significant ones in the past year have been attributed to Russia-based criminal hacker gangs rather than Iranian hackers.

Government officials aren't the only ones noticing the Iranian activity: Tech giant Microsoft announced Tuesday that it had seen six different groups in Iran deploying ransomware since last year.

Microsoft said one of the groups spends significant time and energy trying to build rapport with their intended victims before targeting them with spear-phishing campaigns. The group uses fake conference invitations or interview requests and frequently masquerade as officials at think tanks in Washington, D.C., as a cover, Microsoft said.

Once rapport is built and a malicious link is sent, the Iranians are extra pushy at trying to get their victims to click on it, said James Elliott, a member of the Microsoft Threat Intelligence Center.

"These guys are the biggest pain in the rear. Every two hours they’re sending an email," Elliott said at the Cyberwarcon cybersecurity conference Tuesday.

Earlier this year Facebook announced it had found Iranian hackers using "sophisticated fake online personas" to build trust with targets and get them to click on malicious links and often posed as recruiters of defense and aerospace companies.

Researchers at the Crowdstrike cybersecurity firm said they and competitors began seeing this type of Iranian activity last year.

The Iranian ransomware attacks, unlike those sponsored by North Korea’s government, are not designed to generate revenue so much as for espionage, to sow disinformation, to harass and embarrass foes — Israel, chief among them —and to essentially wear down their targets, Crowdstrike researchers said at the Cyberwarcon event.

"While these operations will use ransom notes and dedicated leak sites demanding hard cryptocurrency, we’re really not seeing any viable effort at actual currency generation," Crowdstrike global threat analysis director Katie Blankenship said.

Crowdstrike considers Iran to be the trendsetter in this novel "low form" of cyberattack, which typically involves paralyzing a network with ransomware, stealing information and then leaking it online. The researchers call the method "lock and leak." It is less visible, less costly and "provides more room for deniability," Blankenship said.