Iran-based cyber threat actors have been targeting U.S. and international organizations across various sectors, including healthcare, according to a joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense Cyber Crime Center.
The advisory highlights known threat groups such as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm. These actors have been observed targeting a range of sectors including education, healthcare, defense, finance, and local government, as well as organizations in countries like Azerbaijan, the United Arab Emirates, and Israel.
A significant portion of these actors’ operations against U.S. organizations involves gaining network access and subsequently collaborating with ransomware affiliates to deploy ransomware. The advisory notes that these actors offer full domain control and admin credentials to networks globally. Recently, they have been working directly with ransomware groups to facilitate encryption and share a percentage of ransom payments.
The FBI has identified collaborations between these threat actors and ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV. Despite their association with the Iranian government, these groups typically obscure their Iranian origins and provide vague details about their nationality when working with ransomware affiliates.
Tracking of these Iranian cyber threat actors dates back to 2017, with recent activities documented up to August 2024. The advisory draws parallels with a September 2020 alert about Iran-backed hackers exploiting VPN vulnerabilities, based on previous FBI investigations.
The advisory provides technical insights into the threat actors’ methods, including their use of public-facing network devices like Citrix Netscaler for initial access. To mitigate risks, the FBI and CISA recommend that organizations prioritize patching vulnerabilities associated with CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519.
Organizations are also advised to review security controls, examine logs, and search for unique identifiers and indicators of compromise. If organizations suspect they have been targeted by these Iranian cyber threat actors, they should contact their local FBI field office for assistance.