U.S. cyber officials and their counterparts in Australia and the U.K. on Wednesday accused Iranian government-sponsored attackers of targeting entities in the health care and transportation sectors to victimize with ransomware.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC) said attackers sponsored by Iran’s government had exploited cyber vulnerabilities to lay the groundwork for future ransomware attacks.
“The Iranian government-sponsored [Advanced Persistent Threat] actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” read a joint cybersecurity advisory from the cyber officials. “FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”
The cyber officials said they witnessed the attackers exploit vulnerabilities in Microsoft Exchange servers and Fortinet devices to gain access to victims’ systems.
For example, the advisory said the Iranian-sponsored attackers accessed networks of a “U.S.-based hospital specializing in healthcare for children” in June 2021.
The U.S. officials and their allies urged people to take a series of actions to mitigate the threats posed by the Iranian attackers, including updating operating systems, implementing network segmentation, using multi-factor authentication and strong passwords, and taking other steps to reduce the risk of phishing attacks via emails, among other things.