Iran-Based Hackers Target U.S. Sectors, Collaborate with Ransomware Affiliates
- Actor Motivations: Espionage,Exfiltration,Sabotage
- Attack Vectors: Malware,Ransomware,Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Iran-based cyber actors linked to the Iranian government are exploiting organisations across multiple sectors in the US, including education, finance, healthcare, defence, and local government, as well as targets in Israel, Azerbaijan, and the UAE. Since 2017, these actors have focused on gaining and monetising network access, working with ransomware affiliates such as NoEscape, Ransomhouse, and ALPHV (BlackCat). They exploit vulnerabilities in internet-facing services such as Check Point, Palo Alto Networks and Citrix. They also use tools such as AnyDesk, PowerShell, Ligolo and NGROK for persistence and command and control.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Financial | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Education | Verified |
| Sector | Healthcare | Verified |
| Region | Azerbaijan | Verified |
| Region | United Arab Emirates | Verified |
| Region | United States | Verified |
Extracted IOCs
- githubapp[.]net
- api.gupdate[.]net
- cloud.sophos[.]one
- fortigate.forticloud[.]online
- login.forticloud[.]online
- 134[.]209.30.220
- 13[.]53.124.246
- 138[.]68.90.19
- 167[.]99.202.130
- 18[.]134.0.66
- 193[.]149.187.41
- 193[.]149.190.248
- 206[.]71.148.78
- 45[.]76.65.42
- 51[.]16.51.81
- 51[.]20.138.134
- 78[.]141.238.182
Tip: 17 related IOCs (12 IP, 5 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.