Iranian government-linked hackers exploited a vulnerability in federal systems to deploy crypto-mining software and steal sensitive login credentials.

Who was behind the attack?

The attackers are believed to be affiliated with the Iranian government, known for targeting U.S. entities for intelligence and economic disruption purposes.

What was the purpose of the attack?

The goal was twofold: generate cryptocurrency (financial gain) and collect credentials for broader network access.

Was this a targeted or widespread attack?

This was a targeted attack against a specific U.S. federal organization, not a widespread campaign.

How did the attackers gain access?

They exploited a known software flaw called Log4Shell in VMware Horizon, allowing them to run malicious commands remotely.

What tools and methods did they use?

They used PowerShell to disable antivirus, scheduled tasks for persistence, and tools like Mimikatz and Ngrok to harvest credentials and maintain access.

Why were government systems targeted?

Government networks are attractive for the sensitive data they contain and the access they provide to other systems.

What can organizations do to protect themselves?

Patch known vulnerabilities like Log4Shell promptly, monitor for suspicious PowerShell activity, restrict unnecessary account privileges, and audit scheduled tasks.

Is this still an ongoing threat?

While this specific instance may be contained, the tactics used remain a serious and recurring threat vector for many organizations.

Threats Feed|Unknown|Last Updated 21/04/2025|AuthorCertfa Radar|Publish Date17/11/2022

Iranian State-Sponsored Actors Exploit Log4Shell to Target US Government

Actor Motivations: Financial Gain
Attack Vectors: Vulnerability Exploitation,Cryptojacking,Downloader
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

In April 2022, Iranian government-sponsored actors exploited the Log4Shell vulnerability in VMware Horizon servers, targeting a Federal Civilian Executive Branch (FCEB) organization. They installed XMRig crypto mining malware and used tools like Mimikatz and Ngrok for credential theft and tunneling. The attack involved disabling Windows Defender, downloading malicious files, hiding artifacts, and creating scheduled tasks for persistence. The campaign highlights advanced tactics in disabling security controls and maintaining persistent access. The targeted sector was the US government.

Reference and Credit: AttackIQ - November 2022

Attack Graph Response to US-CERT Alert (AA22-320A): Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Region	United States	Verified

Exploited Vulnerabilities

NIST NVD: CVE-2021-44228

FAQs

Crypto Mining and Credential Theft in Federal Networks

: Iranian government-linked hackers exploited a vulnerability in federal systems to deploy crypto-mining software and steal sensitive login credentials.
: The attackers are believed to be affiliated with the Iranian government, known for targeting U.S. entities for intelligence and economic disruption purposes.
: The goal was twofold: generate cryptocurrency (financial gain) and collect credentials for broader network access.
: This was a targeted attack against a specific U.S. federal organization, not a widespread campaign.
: They exploited a known software flaw called Log4Shell in VMware Horizon, allowing them to run malicious commands remotely.
: They used PowerShell to disable antivirus, scheduled tasks for persistence, and tools like Mimikatz and Ngrok to harvest credentials and maintain access.
: Government networks are attractive for the sensitive data they contain and the access they provide to other systems.
: Patch known vulnerabilities like Log4Shell promptly, monitor for suspicious PowerShell activity, restrict unnecessary account privileges, and audit scheduled tasks.
: While this specific instance may be contained, the tactics used remain a serious and recurring threat vector for many organizations.

About Affiliation

Unknown

Associate threats