US and UK authorities have said Iran is conducting an “ongoing” campaign of ransomware and other cyber attacks on US critical infrastructure and Australian organisations that began in March.
In a joint statement, the FBI and the Cybersecurity and Infrastructure Security Agency together with the UK and Australian cyber security centres said that Iranian government-sponsored hackers had been “actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the healthcare and public health sector”.
The hackers have been exploiting a bug in software from security group Fortinet and a flaw in Microsoft email software that was first discovered by Chinese hackers to deploy ransomware, steal data, or extort victims, the agencies said.
The Iranian activity included successfully breaching a US municipal government and US hospital specialising in healthcare for children in May and June respectively, according to the joint statement.
The use of ransomware by Iran — in which hackers lock up an organisation’s computer systems or data, agreeing to release it only if a ransom is paid — marks a notable shift. Much of the proliferation of ransomware activity to date has been blamed on Russian criminal groups, prompting a recent crackdown by US president Joe Biden’s administration.
Microsoft said in a separate blog post on Tuesday that Iranian nation-state actors were “increasingly utilising ransomware to either collect funds or disrupt their targets” and that they had become “more patient and persistent while engaging with their targets”.
The company said it had identified six Iranian threat groups deploying ransomware in waves every six to eight weeks on average since September last year.
The groups typically used social engineering to trick victims into clicking on malicious links, Microsoft added, with one using fake Google Meet video conference invites and “continuously pestering” victims to click on them. Another group would masquerade as attractive women on social media to build up trust with a target, before sending them malicious files, the company said.
The report comes as the US seeks to re-enter a 2015 multilateral pact that had constrained Iran’s nuclear programme in exchange for sanctions relief. Since Donald Trump withdrew the US from the pact in 2018, Tehran has accelerated its nuclear programme and a UN watchdog said it could have enough nuclear material for a bomb within a few months.
Rob Malley, US special envoy for Iran who is leading the US delegation, is in the Middle East this week to discuss approaches to Iran with US regional allies, including the UAE, Israel, Saudi Arabia and Bahrain. A seventh round of indirect talks with the US is due to take place in Vienna later this month, the first since a hardline government was elected in Iran.
“Iran is quickly ratcheting up its leverage through nuclear advancements, upping the ante in the cyber realm and flexing its muscles in the region ahead of the nuclear talks’ resumption to extract more concessions from the United States,” said Ali Vaez, Iran director at the International Crisis Group. “It’s a multidimensional game of brinkmanship.”
A state department spokesperson said: “We have a range of concerns with Iran, including their cyber attacks. We believe that the best way to address our nuclear concerns is diplomacy and a rapid mutual return to full compliance with the [Joint Comprehensive Plan of Action]. We have other tools to deal with other issues, as today’s action demonstrates.”