Islamic Revolutionary Guard Corps Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), U.S. Cyber Command Cyber National Mission Force (CNMF), the U.S. Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) today released a joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).
This CSA, titled, “Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations,” provides actionable information regarding IRGC exploitation of VMware Horizon® Log4j vulnerabilities for initial access and ongoing use of known Fortinet® and Microsoft Exchange® vulnerabilities. After gaining access to a network, these actors likely determine a course of action based on their perceived value of the data, including data encryption or exfiltration for ransom operations.
“Today’s advisory is an outcome of our close collaboration with international and U.S. government partners to understand and provide timely information on malicious cyber activity targeting our country’s critical networks, including by Iranian cyber actors,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats, including malicious actors like those affiliated with the Iranian Islamic Revolutionary Guard Corps. Immediately addressing the vulnerabilities in this advisory, which are also in CISA’s known exploited vulnerabilities catalog, and deploying rigorous controls consistent with a zero-trust strategy is strongly recommended.”
“The FBI is dedicated to preventing and disrupting nation state affiliated cyber activity that threatens our private sector partners and the American public," said Bryan Vorndran, FBI Cyber Division Assistant Director. "We will continue to coordinate with our domestic and international partners to proactively share relevant and timely information to mitigate cyber threats posed by the IRGC, and we are confident this advisory will assist individuals and businesses in developing a plan to protect their systems and shore up network defenses. In the event victims do suffer an intrusion, we encourage them to report the compromise as early as possible to their local FBI field office or to the Internet Crime Complaint Center at www.ic3.gov.”
“This advisory points to specific instances in which IRGC-affiliated cyber actors have used publicly known vulnerabilities to gain access to U.S. critical infrastructure networks,” said David Luber, Deputy Cybersecurity Director, NSA. “We implore our net defenders and our partners to detect and mitigate this threat before your organization is the next ransomware victim.”
“The U.S. Department of the Treasury is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “This advisory identifies specific tactics, techniques, and procedures of a group of IRGC-affiliated actors who threaten the security and economy of the United States and other nations, and provides valuable information to the public and private sectors which can strengthen their cybersecurity resilience and reduce risk of ransomware incidents.”
“Cyber National Mission Force works closely with our partners to disrupt and degrade foreign malicious cyber activity, sharing threat information and taking actions to the defend the Nation,” said U.S. Army Maj. Gen. William J. Hartman, commander of Cyber National Mission Force, USCC. “This multi-partner advisory highlights how Iranian cyber actors are exploiting vulnerabilities, targeting a broad range of entities including U.S. and partner critical infrastructure, and using accesses for ransom operations. When acted on, collaborative efforts like this advisory contribute to collective defenses around the world, and remove tools from those who would do us harm.”
“Ransomware remains a persistent threat. Every day, cyber threat actors—state and criminal—are seizing opportunities to exploit vulnerabilities and deliver ransomware against a growing array of targets,” said Sami Khoury, Head of the Canadian Centre for Cyber Security. “We strongly encourage network defenders, especially critical infrastructure partners, to read this advisory and implement these guidelines.”
“Based on the latest intelligence across the Five Eyes, this advisory again underscores that organisations of all sizes continue to be targeted by capable and increasingly sophisticated adversaries. It’s absolutely critical that organisations strengthen their cyber defences by reviewing these protective measures and implementing them immediately,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “In particular, I urge organisations to patch their systems against a number of already known critical vulnerabilities.”
This CSA identifies additional malicious and legitimate tools that are likely being used by these actors as well as tactics, techniques, and procedures, and additional indicators of compromise (IOCs) observed as recently as March 2022 that can be used to detect this latest malicious activity. Also, it is an update to the 2021 joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities and now assesses this APT group to be affiliated with the IRGC, an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. For more information on state-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage.
Organizations are strongly discouraged from paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. In September 2021, Treasury issued an advisory highlighting the sanctions risk associated with ransomware payments and providing steps that can be taken by companies to mitigate the risk of being a victim of ransomware.
All organizations should share information on cybersecurity incidents and anomalous activity to CISA 24/7 Operations Center at email@example.com or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. Visit CISA.gov for more information.