Cyber actors from Iran increased their attacks on U.S. education, finance, healthcare, and defense assets in August, according to an Aug. 28 report from the Joint Cybersecurity Advisory, which includes the Federal Bureau of Investigations (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DOD) Cyber Crime Center.
The attacks deploy ransomware that holds computer networks hostage and exploits the systems to steal private and proprietary information.
The Iranian cyber actors are connected to and acting on behalf of the government of Iran (GOI) and are being conducted with the help of affiliate actors not connected to the GOI, according to the FBI.
Some attacks were allegedly intended to raise funds from the affected systems and steal information for even more ransomware attacks in the future or to further GOI priorities.
A group known in the private sector under the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm has targeted schools, local governments, financial institutions, and health care facilities.
“BrOk3r and “xplfinder” are other names the group has given to itself.
The actors do not identify themselves as being from Iran but are deliberately vague about where they come from when they interact with other cyber attackers and their victims, according to the FBI.
They operate under the Iranian company Danesh Novin Sahand and use the business as a cover for their illegal actions, the report states.
CISA recommends that cybersecurity professionals review the report and implement its recommendations, including installing specific patches to prevent systems from being compromised and hacked.
The more recent attacks are similar to those described in the CISA advisory Iran-Based Threat Actor Exploits VPN Vulnerabilities, released in September 2020.
Some of the actors have been targeting U.S. and foreign organizations since 2017, the new report stated.
The report also describes how IT professionals can tell when a network has been compromised.
CISA also has concerns about the potential that Iran could make efforts to target the Nov. 5 elections.
The Office of the Director of National Intelligence’s 2024 Annual Threat Assessment reads, “Ahead of the U.S. election in 2024, Iran may attempt to conduct influence operations aimed at U.S. interests, including targeting U.S. elections, having demonstrated a willingness and capability to do so in the past.”
Some of these concerns are based on Iran’s actions during the 2020 elections.
“During the U.S. election cycle in 2020, Iranian cyber actors obtained or attempted to obtain U.S. voter information, sent threatening emails to voters, and disseminated disinformation about the election,” the assessment continued.
The assessment stressed that Iranian cybercriminals are even more likely to target elections this year because of new methods they have developed since 2020.
“The same Iranian actors have evolved their activities and developed a new set of techniques, combining cyber and influence capabilities, that Iran could deploy during the U.S. election cycle in 2024,” it concluded.
Multifactor authentication is one way to thwart cyberattacks that hack and steal passwords.
The CISA’s Iran Cyber Threat Overview also recommends using strong, unique passwords rather than using the same passwords for multiple accounts or using a familiar and obvious word like “password” or “12345678.”
A more advanced way to prevent hacking attempts is to check programmable logic controllers for default passwords that are easy to guess and avoid using.
There have been no known large scale cyberattacks by Iran, but many lower-level attacks have met their marks in recent years.