The United States government, in partnership with cyber authorities from Australia, Canada, and the U.K., have sanctioned 10 individuals and two entities associated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their participation in malicious cyber activity, including ransomware.
The group of threat actors has been observed exploiting known vulnerabilities in Fortinet FortiOS and Microsoft Exchange servers since early 2021 to gain access to a wide range of targeted entities. They have also been known to exploit VMware Horizon Log4j vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes the IRGC's actions in the last few years:
- "In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom."
- "In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company's operations for an extended period."
- "In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity."
- "In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network."
Brian E. Nelson, Under Secretary for Terrorism and Financial Intelligence at the U.S. Department of the Treasury, discussed the sanctions:
"Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board—directly threatening the physical security and economy of the United States and other nations. We will continue to take coordination action with our global partners to combat and deter ransomware threats, including those associated with the IRGC."
So, what exactly does it look like when you are sanctioned by the U.S. government? In short, not good.
The U.S. Treasury says that as a result of these sanctions, "all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC." Any entities owned, directly or indirectly, by 50% or more are now blocked. All transactions by individuals within the U.S. that involve any property or interests of the threat actors is prohibited. And financial institutions are no longer allowed engage in transactions with those sanctioned.
It would probably be a pretty weird feeling to wake up in the morning and find out you've been sanctioned by the U.S. government.
Mitigating Iranian cyber actors
CISA has provided a detailed list of ways to mitigate malicious cyber activity. The mitigation techniques include the following:
- Implement and Enforce Backup and Restoration Policies and Procedures
- Patch and Update Systems
- Evaluate and Update Blocklists and Allowlists
- Implement Network Segmentation
- Secure User Accounts
- Implement Multifactor Authentication
- Use Strong Passwords
- Secure and Monitor RDP and other Potentially Risky Services
- Use Antivirus Programs
- Secure Remote Access
CISA provides a ton of additional information in its Cybersecurity Advisory on Iranian cyber actors, including technical details, methods for detection, and many more resources.
Something else to note: Last week, the Albanian government severed diplomatic relations with Iran after a cyberattack in July targeted the country's digital infrastructure and public services.
The White House said that the U.S. "strongly condemns" the cyberattack against Albania, and that it would be taking further action to hold those responsible accountable. But it is unclear if the sanctions announced today are connected to the Albania incident.
Follow SecureWorld News for more cybersecurity coverage.