Iran-backed hackers exploited Microsoft, pose major cyber threat, investigators say

Law enforcement agencies in the U.S., Britain, and Australia have issued a joint statement labeling an Iran-sponsored group as a serious threat to cyber security. 

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Center (ACSC), and British National Cyber Security Center (NCSC) released a joint cybersecurity advisory Wednesday that linked a group of hackers to the Iranian government. 

The agencies also labeled the group an advanced persistent threat (APT) after it exploited Fortinet and Microsoft Exchange in March and October, respectively. The group gained access to the systems as part of an ongoing operation to deploy ransomware. 

Ebrahim Raisi, the president of Iran since Aug. 3, 2021.

Ebrahim Raisi, the president of Iran since Aug. 3, 2021.

The advisory notes the group has actively targeted “a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Heath Sector, as well as Australian organizations.” 

FBI AWARE OF AND INVESTIGATING FAKE FBI EMAILS SENT TO THOUSANDS

Authorities did not name the Iranian actors or tie them to a specific group working for the government. 

Cybersecurity agencies in all three countries urged any organization using Microsoft Exchange and Fortinet to investigate any suspicious activity in their networks. 

The U.S. has identified a number of foreign ransomware attacks over the past two years, most notably the Ryuk and Darkside groups, which authorities tied to Russia, but not to the Russian government. 

Russian President Vladimir Putin speaks during a meeting with hight level officers and heads of defense industry enterprises in the Bocharov Ruchei residence in the Black Sea resort of Sochi, Russia, Monday, Nov. 1, 2021. Russian President Vladimir Putin on Monday emphasized the need to strengthen the country's air defenses in the face of NATO's moves. 

Russian President Vladimir Putin speaks during a meeting with hight level officers and heads of defense industry enterprises in the Bocharov Ruchei residence in the Black Sea resort of Sochi, Russia, Monday, Nov. 1, 2021. Russian President Vladimir Putin on Monday emphasized the need to strengthen the country’s air defenses in the face of NATO’s moves. 
(Evgeniy Paulin, Sputnik, Kremlin Pool Photo via AP)

US AUTHORITIES SEEK EXTRADITION OF RUSSIAN FOR ALLEGED RANSOMEWARE MONEY LAUNDERING OPERATION

Ryuk orchestrated a number of attacks on U.S. health care organizations and facilities during the peak of the coronavirus pandemic, delaying potentially life-saving treatments for patients, according to Radio Free Europe. 

U.S. authorities tied Darkside to the Colonial Pipeline ransomware attack that occurred in May 2021. 

Earlier this year, the Biden administration imposed sanctions on Russia for the SolarWinds computer hack, which began in 2020 when malicious code was sneaked into updates to popular software that monitors computer networks of businesses and governments. 

MICROSOFT SAYS RUSSIAN GROUP BEHIND SOLARWINDS ATTACK NOW TARGETING IT SUPPLY CHAIN

The malware, affecting a product made by the American-based SolarWinds company, gave elite hackers remote access into an organization’s networks so they could steal information.

Officials said the president established a U.S.-Russia experts group for the U.S. to engage “directly” on the issue of ransomware.

UNITED STATES - MAY 13: The Capitol Hill Exxon station ran out of low and medium grade gasolines on Thursday, May 13, 2021, following the shutdown of the Colonial fuel pipeline by hackers. (Photo by Bill Clark/CQ-Roll Call, Inc via Getty Images)

UNITED STATES – MAY 13: The Capitol Hill Exxon station ran out of low and medium grade gasolines on Thursday, May 13, 2021, following the shutdown of the Colonial fuel pipeline by hackers. (Photo by Bill Clark/CQ-Roll Call, Inc via Getty Images)

CLICK HERE TO GET THE FOX NEWS APP

“We do look to the Russian government to address ransomware criminal activity coming from actors within Russia,” an official said, adding that the Biden administration has “also shared information with Russia regarding criminal ransomware activity being conducted from its territory.”

In June 2021, Biden said he gave Russian President Vladimir Putin a list of U.S. assets and infrastructure that Russian hackers should avoid attacking. That move was widely panned as a “green light” for Russian hackers to go after other American targets. 

Fox News’ Brooke Singman contributed to this report. 

Leave a Reply