Iran Cyber Threat Overview and Advisories

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that Iran remains a major cyber threat: “Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data. Iran’s opportunistic approach to cyber attacks makes critical infrastructure owners in the United States susceptible to being targeted…”

Recent Iranian state-sponsored activity has included destructive malware and ransomware operations. Keeping software up to date and prioritizing patching of known exploited vulnerabilities is key to strengthening operational resilience against this threat.

CISA and our partners in the U.S. government and around the world provide timely and actionable information about the Iranian state-sponsored cyber threat to help organizations prioritize the most effective cybersecurity measures. As a starting point, organizations should:

Prioritize mitigation of known exploited vulnerabilities.
Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.  
Urgently report potential malicious activity to CISA or the FBI:
- The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.
- You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
- Contact your local FBI field office or IC3.gov.
Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on Iranian state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
- Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
- Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
Visit the Industry Alerts section of the FBI’s Iran Threat website for accounts of recent Iranian state-sponsored cybercrimes.
Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by Iranian state-sponsored cyber actors.
Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance.

Table 1: CISA and Joint CISA Publications

Publication Date	Title	Description
November 16, 2022	Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester MAR 10387061-1.v1 XMRig Cryptocurrency Mining Software	CISA and FBI released a joint CSA about an incident at an FCEB organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in an unpatched VMware Horizon server. This advisory includes a MAR on the mining software that the APT actors used against the compromised FCEB network.
September 23, 2022	Iranian State Actors Conduct Cyber Operations Against the Government of Albania	FBI and CISA have released this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September, 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks.
September 14, 2022	Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations	FBI, CISA, NSA, USCC, CNMF, the Treasury, ACSC, CCCS, and the NCSC highlights continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).
February 24, 2022	CISA, FBI, CNMF, NCSC-UK, NSA Malware Analysis Report: MAR–10369127–1.v1 – MuddyWater	CISA, FBI, FNMF, NCSC-UK, and NSA have released a joint MAR providing detailed analysis of 23 files identified as MuddyWater tools.
February 24, 2022	CISA-FBI-CNMF-NCSC-UK-NSA Joint Cybersecurity Advisory: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks	CISA, FBI, CNMF, NCSC-UK, and NSA have released a joint Cybersecurity Advisory highlighting a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.
November 17, 2021	CISA-FBI-ACSC-NCSC Joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities	CISA, FBI, ACSC, and NCSC have released a joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain initial access in advance of follow-on operations. The Iranian government-sponsored APT actors are actively targeting a broad range of multiple U.S. critical infrastructure sectors as well as Australian organizations.
July 20, 2021	JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)	U.S. Government attributed previously published activity targeting industrial control systems to Iranian nation-state cyber actors.
October 30, 2020	CISA and FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data	CISA and FBI released a Joint CSA on an Iranian APT actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The Advisory provides indicators of compromise (IOCs) and recommended mitigations for affected entities.
October 22, 2020	CISA-FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actors Threaten Election-Related System	CISA and FBI released an Advisory warning about Iranian APT actors likely intent on influencing and interfering with the 2020 U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.
September 15, 2020	CISA-FBI Joint Cybersecurity Advisory: Iran-Based Threat Actor Exploits VPN Vulnerabilities MAR-10297887-1.v2 – Iranian Web Shells	CISA and FBI released a Joint CSA on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. The Advisory analyzes the threat actor’s tactics, techniques, and procedures (TTPs); IOCs; and exploited Common Vulnerabilities and Exposures. The MAR details the functionality of malicious files—including multiple components of the China Chopper Web Shell—used by Iranian-based malicious cyber actors.
January 06, 2020	CISA Alert: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad CISA Insights: Increased Geopolitical Tensions and Threats	In light of heightened tensions between the United States and Iran, CISA released an Alert and an “Insights” analysis providing Iranian government and affiliated cyber threat actor TTPs and an overview of Iran’s cyber threat profile, respectively.