Iran cyber warriors help affiliates deploy ransomware

BENGALURU: The rise of state-sponsored cyber actors poses an unprecedented challenge, especially for nations like the United States, which face threats not only from traditional military conflicts but also from sophisticated cyber operations.

Among the notable players in this realm is the Iranian cyber army, a group whose activities extend beyond espionage to include the commercialisation of access to breached organisations.

The Iranian cyber actors operate under various aliases—Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm—demonstrating their complex and layered operational strategies. Within their networks, they refer to themselves as Br0k3r or “xplfinder,” indicating a focus on trade and negotiation regarding their capabilities.

While initially tasked with espionage, including cyber intrusions targeted at sensitive data from nations like the UAE, Israel and Azerbaijan, the evolution of their operations has led to a disturbing trend: the monetisation of unauthorised access to corporate systems across various sectors.

The Federal Bureau of Investigation (FBI) has issued multiple advisories highlighting this group’s extensive arsenal capable of breaching critical infrastructure, including education, finance, healthcare, and defence organisations.

A striking collaboration

Recent intelligence underscores a striking collaboration between Iranian cyber actors and ransomware affiliates, marking a significant shift in tactics. The FBI identified that these actors are not merely providers of access; they actively engage with malicious entities like NoEscape, Ransomhouse, and ALPHV (commonly known as BlackCat) to facilitate encryption operations.

In this symbiotic relationship, Iranian actors provide the means to infiltrate organisational networks, while they share in the ransom payments collected from the victims.

This raises troubling questions about the operational independence of the Iranian cyber army, as the affiliations suggest a structured approach to cybercrime that blends state-sponsored initiatives with commercial cyber extortion.

The nuances of their operations reveal a sophisticated method of obfuscation. While engaged in ransomware activities, these actors do not disclose their Iranian origins, maintaining an air of anonymity that complicates attribution and response.

Their interactions with ransomware affiliates are characterised by intentional vagueness regarding their national identity, reflecting a calculated risk management approach designed to evade detection by both victims and law enforcement agencies.

A critical moment in the evolution of these tactics can be traced back to 2020 during the Pay2Key campaign, a strategic operation aimed at destabilising Israeli cyber infrastructure. Rather than traditional ransomware models, the Iranian cyber actors adopted a hack-and-leak strategy, releasing sensitive information publicly to inflict reputational damage.

Malicious payloads

The approach was coupled with the operation of a leak site hosted on compromised infrastructures, demonstrating how they effectively weaponised stolen data to further their geopolitical aims. Through social media channels, they would taunt victims by tagging them and relevant media outlets, amplifying the impact of their attacks.

The ongoing evolution of Iranian cyber operations has drawn the attention of US cyber authorities, particularly concerning their targeting of various sectors deemed vital to national and economic security.

As of August 2024, their focus includes US-based institutions, municipal governments, financial establishments, and healthcare facilities.

The FBI’s assessment highlights that the group’s activities align with Iranian state interests, emphasising targets that would typically be off-limits to their ransomware partners.

However, Iran’s cyber actors have conveyed specific concerns about government oversight, particularly relating to cryptocurrency transactions associated with their illicit endeavours, suggesting a nuanced understanding of their operational landscape and the geopolitical implications of their actions.

To gain access to victim organisations, Iranian cyber actors employ a variety of infiltration methods, beginning with the identification of weaknesses in external services. Techniques of reconnaissance involve scanning for known vulnerabilities and employing tools like the Shodan search engine to identify exploitable IP addresses.

Recent efforts have seen them probing for specific vulnerabilities in widely used security gateways and VPNs, demonstrating a persistent intent to exploit enterprise systems.

Layered approach

Once access is gained, their actions are methodical. Iranian actors typically aim to capture sensitive login credentials using web shells, establish illicit accounts within victim networks, and request exemptions from established security policies to ensure persistence within the compromised environment.

The deployment of backdoors and the introduction of malicious payloads represent an all-too-familiar playbook, further complicating incident response efforts for organisations that find themselves targeted.

Command and control operations also reflect their sophistication.

Utilising tools like AnyDesk, PowerShell Web Access, and open-source tunneling applications such as Ligolo and NGROK, they exploit legitimate software to establish remote connections, thereby facilitating further exploitation of compromised systems. The layered approach not only enhances their operational capabilities but also introduces significant challenges for cybersecurity professionals striving to protect their networks.

The FBI and CISA discovered dozens of IP addresses and bitcoin wallets used by the threat actors. The authorities recommend all organisations to review suspicious IP addresses for any activity, applying patches to specific vulnerabilities, checking systems for unique identifiers used by Tehran’s cyber warriors, including specific usernames, NGROK and Ligolo packages, webshells in particular directories, monitoring requests to suspicious domains, and others.