9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
The U.S. Treasury Department on Friday announced sanctions against Iranβs Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.
βSince at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors,β the Treasury said.
The agency also accused Iranian state-sponsored actors of staging disruptive attacks aimed at Albanian government computer systems in mid-July 2022, an incident that forced the latter to temporarily suspend its online services.
The development comes months nearly nine months after the U.S. Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes almost two years following the Treasuryβs sanctions against another Iranian APT group dubbed APT39 (aka Chafer or Radio Serpens).
Fridayβs sanctions effectively prohibit U.S. businesses and citizens from engaging in transactions with MOIS and Khatib, and non-U.S. citizens that engage in transactions with the designated entities may themselves be exposed to sanctions.
Coinciding with the economic blockade, the Albanian government said the cyberattack on the digital infrastructure was βorchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression.β
Microsoft, which investigated the attacks, said the adversaries worked in tandem to carry out distinct phases of the attacks, with each cluster responsible for a different aspect of the operation -
The tech giantβs threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating data to the Iranian MOIS-linked hacking collective codenamed Europium, which is also known as APT34, Cobalt Gypsy, Helix Kitten, or OilRig.
βThe attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers,β it said in a technical deepdive. βThe attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests.β
βThe Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment,β the company noted, adding the post-exploitation actions involved the use of web shells for persistence, unknown executables for reconnaissance, credential harvesting techniques, and defense evasion methods to turn off security products.
Microsoftβs findings dovetail with previous analysis from Googleβs Mandiant, which called the politically motivated activity a βgeographic expansion of Iranian disruptive cyber operations.β
Initial access to the network of an Albanian government victim is said to have occurred as early as May 2021 via successful exploitation of a SharePoint remote code execution flaw (CVE-2019-0604), followed by exfiltration of email from the compromised network between October 2021 and January 2022.
A second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely through a tool called Jason. On top of that, the intrusions entailed the deployment of a ransomware strain called ROADSWEEP and the distribution of a wiper malware referred to as ZeroCleare.
Microsoft characterized the destructive campaign as a βform of direct and proportional retaliationβ for a string of cyberattacks on Iran, including one staged by an Iranian hacktivist group thatβs affiliated to Mujahedin-e-Khalq (MEK) in the first week of July 2022.
The MEK, also known as the Peopleβs Mujahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government.
βSome of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging,β the Windows maker said.
Iranβs Foreign Ministry, however, has rejected accusations that the country was behind the digital offensive on Albania, calling them βbaselessβ and that itβs βpart of responsible international efforts to deal with the threat of cyberattacks.β
It further condemned the sanctions and called the act based on βfalse and unprovenβ accusations, stating it βwill use all its capabilities within the framework of international law to uphold the Iraniansβ rights and defend itself against these sinister conspiracies.β The Ministry also accused the U.S. of βgiving full support to a terrorist sectβ, referring to MEK.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P