Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

US Sees Iranian Hackers Working Closely With Ransomware Groups

Iranian state-sponsored APT Lemon Sandstorm is working closely with ransomware groups on monetizing network intrusions.

Iran cyberattacks

Iranian state-sponsored hackers are working closely with ransomware groups on monetizing unauthorized access to the networks of organizations in the United States and elsewhere, the US government says.

Following the compromise of organizations in the defense, education, finance, government, and healthcare sectors, the hackers, operating on behalf of the Iranian government, provide ransomware groups with access to the victims’ networks to facilitate data encryption and extortion.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims,” CISA, the FBI, and the Department of Defense Cyber Crime Center (DC3) note in a joint advisory (PDF).

Without disclosing their Iran-based location to their contacts, these threat actors are collaborating directly with ransomware affiliates to deploy file-encrypting malware and receive a percentage of the ransom payments.

Targeting US-based organizations since at least 2017, the threat actors call themselves Br0k3r and Xplfinder. The cybersecurity community tracks the cluster of activity as Lemon Sandstorm, Fox Kitten, Parisite, Pioneer Kitten, Rubidium, and UNC757.

The advanced persistent threat (APT) actor has been observed compromising the networks of financial institutions, municipal governments, schools, and healthcare facilities in the US, while also targeting organizations in Azerbaijan, Israel, and the United Arab Emirates.

Lemon Sandstorm, CISA, the FBI, and DC3 say, has been observed collaborating with ransomware groups such as NoEscape, RansomHouse, and Alphv/BlackCat.

“The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan),” the joint advisory reads.

Advertisement. Scroll to continue reading.

According to the FBI, Lemon Sandstorm was also responsible for the 2020 Pay2Key attacks, in which the threat actor compromised organizations, stole their data, and then named victims on a Tor-based leaks site, in an apparent attempt to influence them into paying a ransom.

“The FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure,” the advisory reads.

The US government’s joint advisory came out the same day that Mandiant published a report on a suspected Iran-nexus counterintelligence operation targeting Iranians and domestic threats, and Microsoft shared details on Iran-linked Peach Sandstorm’s use of a new custom backdoor.

Related: Iranian Hackers Targeted WhatsApp Accounts of Staffers in Biden, Trump Administrations, Meta Says

Related: Google Disrupts Iranian Hacking Activity Targeting US Presidential Election

Related: Albanian Authorities Accuse Iranian-Backed Hackers of Cyberattack on Institute of Statistics

Related: Iranian Hackers Lurked for 8 Months in Government Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights