Cloud serversSource: Microsoft

What you need to know

  • A joint cybersecurity advisory breaks down a threat group that is believed to be connected to the Iranian government.
  • The group has exploited Microsoft Exchange vulnerabilities since October 2021.
  • The advisory claims that the threat actors are targeting a broad range of victims in several U.S. critical infrastructure sectors.

A joint security advisory claims that an advanced persistent threat (APT) group associated with the Iranian government is threatening multiple victims from U.S. critical infrastructure sectors. The group is said to have exploited a Microsoft Exchange vulnerability since at least October 2021 and a Fortinet vulnerability since at least March 2021. These attacks aim to gain access that can be leveraged for data exfiltration or encryption, ransomware, and extortion.

The advisory is the result of a joint effort by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC). All of these bodies assess that the APT group in question is associated with the Iranian government. The ACSC has also determined that the APT group has taken advantage of the same Microsoft Exchange vulnerability in Australia.

The full report breaks down the tactics and techniques used by the APT actors. It also runs through a timeline of attacks, when attacks were detected, and suggested mitigation steps to reduce the risk of compromise by the threat.

"The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors," reads the advisory. It also directs to an overview of Iranian cyber threats.