Iran Cyber Threat Overview and Advisories
The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that Iran remains a major cyber threat: “Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data. Iran’s opportunistic approach to cyber attacks makes critical infrastructure owners in the United States susceptible to being targeted…”
Recent Iranian state-sponsored activity has included destructive malware and ransomware operations. Keeping software up to date and prioritizing patching of known exploited vulnerabilities is key to strengthening operational resilience against this threat.
CISA and our partners in the U.S. government and around the world provide timely and actionable information about the Iranian state-sponsored cyber threat to help organizations prioritize the most effective cybersecurity measures. As a starting point, organizations should:
- Prioritize mitigation of known exploited vulnerabilities.
- Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.
- Urgently report potential malicious activity to CISA or the FBI:
- Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on Iranian state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
- IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
- Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
- Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
- Visit the Industry Alerts section of the FBI’s Iran Threat website for accounts of recent Iranian state-sponsored cybercrimes.
- Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by Iranian state-sponsored cyber actors.
- Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance.
Table 1: CISA and Joint CISA Publications
|December 1, 2023
|CISA, FBI, NSA, EPA, and the Israel National Cyber Directorate (INCD) released a CSA to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT cyber actors.
|November 16, 2022
CISA and FBI released a joint CSA about an incident at an FCEB organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in an unpatched VMware Horizon server. This advisory includes a MAR on the mining software that the APT actors used against the compromised FCEB network.
|September 23, 2022
FBI and CISA have released this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September, 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks.
|September 14, 2022
FBI, CISA, NSA, USCC, CNMF, the Treasury, ACSC, CCCS, and the NCSC highlights continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).
|February 24, 2022
CISA, FBI, FNMF, NCSC-UK, and NSA have released a joint MAR providing detailed analysis of 23 files identified as MuddyWater tools.
|February 24, 2022
CISA, FBI, CNMF, NCSC-UK, and NSA have released a joint Cybersecurity Advisory highlighting a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.
|November 17, 2021
CISA, FBI, ACSC, and NCSC have released a joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain initial access in advance of follow-on operations. The Iranian government-sponsored APT actors are actively targeting a broad range of multiple U.S. critical infrastructure sectors as well as Australian organizations.
|July 20, 2021
U.S. Government attributed previously published activity targeting industrial control systems to Iranian nation-state cyber actors.
|October 30, 2020
CISA and FBI released a Joint CSA on an Iranian APT actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The Advisory provides indicators of compromise (IOCs) and recommended mitigations for affected entities.
|October 22, 2020
CISA and FBI released an Advisory warning about Iranian APT actors likely intent on influencing and interfering with the 2020 U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.
|September 15, 2020
CISA and FBI released a Joint CSA on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. The Advisory analyzes the threat actor’s tactics, techniques, and procedures (TTPs); IOCs; and exploited Common Vulnerabilities and Exposures.
The MAR details the functionality of malicious files—including multiple components of the China Chopper Web Shell—used by Iranian-based malicious cyber actors.
|January 06, 2020
In light of heightened tensions between the United States and Iran, CISA released an Alert and an “Insights” analysis providing Iranian government and affiliated cyber threat actor TTPs and an overview of Iran’s cyber threat profile, respectively.