FBI Cyber Most Wanted: Iranian Threat Actors
The Federal Bureau of Investigation’s (FBI) Most Wanted list has grown to include a long list of criminal hackers and nation-state threat actors from around the world. Among the newest bad actors to appear on the “Cyber’s Most Wanted” page are Iranian nationals Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari. A United States federal grand jury indicted the trio in August 2022, and they are still at large.
Ransomware Crime Spree
The U.S. Department of Justice (DOJ) says these cyber actors targeted a wide range of organizations located in the United States, the United Kingdom, Israel, and elsewhere — even inside Iran.
They are accused of ransomware attacks against small businesses, government agencies, nonprofits, and educational and religious institutions. Victims also included multiple critical infrastructure sectors, including healthcare centers, transportation services, and utility providers.
According to court documents, the trio and their compatriots gained illegal network access, exfiltrated data, encrypted it, and then extorted hundreds of victims, including:
- Accounting firms in Illinois and New Jersey
- A township in New Jersey
- A public housing corporation in the State of Washington
- A Pennsylvania shelter for domestic violence victims
- Regional electric utility companies in Mississippi and Indiana
- A Wyoming county government
- A construction company located in the State of Washington working on critical infrastructure projects
- A state bar association
Ties to State-Sponsored APT Group
The U.S Department of the Treasury’s Office of Foreign Assets Control (OFAC) identified these three as affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The IRGC-affiliate group has been linked to attacks that deploy malware for financial gain, as well as intelligence collection.
Threat Actor Objectives
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and National Cyber Security Centre (NCSC) assess that the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. The state-affiliated actors can leverage this access for follow-up operations, such as data exfiltration or encryption, ransomware, and extortion for potential purposes of espionage, disruption, and financial gain.
- BitLocker for encryption
- Custom PowerShell scripts
- TunnelFish malware, a Fast Reverse Proxy (FRP) client variant used to gain initial access
- DiskCryptor for encryption
- Mimikatz for credential theft
- WinPEAS for privilege escalation
- SharpWMI (Windows Management Instrumentation)
- WinRAR for archiving collected data
- FileZilla for transferring files
Threat Actor Activities
Activities observed by the FBI and CISA include:
- March 2021: The group scanned ports 4443, 8443, and 10443 for devices vulnerable to Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- May 2021: The group exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.
- June 2021: The group exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. FBI and CISA believe the APT actors likely leveraged a command-and-control (C2) server assigned to IP addresses associated with Iranian government cyber activity, according to FBI and CISA assessments, to further enable malicious activity against the hospital’s network.
- September and October 2021: The actors leveraged a Microsoft Exchange ProxyShell vulnerability – CVE-2021-34473 – as well as a Log4j vulnerability to deploy TunnelFish, to gain initial access to systems in advance of follow-on operations.
BlackBerry Expertise with Nation-State Cyberattacks
The BlackBerry Incident Response (IR) Team just finished a special three-part report called 13 Deadly Sins of APT Incident Response, which is based on more than a hundred years of collective IR experience. Many of the tips contained in this blog series pertain to measures that can help organizations avoid falling prey to the attacks described above. In addition, BlackBerry works with organizations of all sizes and vertical industries to evaluate and enhance their security and resilience. If you believe you may be currently targeted by an attack and require emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.