A joint U.S. advisory from the FBI, the Department of Defense Cyber Crime Center and the Cybersecurity and Infrastructure Security Agency has identified Iran-based cyber actors conducting ransomware attacks on U.S. and foreign organizations.
The cybersecurity advisory warned that the cyber actors, known as Pioneer Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm, perform ransomware and computer network exploitation activities to steal sensitive technical data in support of the Iranian government. The groups are targeting the critical U.S. sectors of education, finance, health care and defense, as well as local government entities and other countries, including Israel, Azerbaijan and the United Arab Emirates.
An FBI investigation found that cyber actors’ operations against U.S. organizations are intended to obtain and develop network access and then collaborate with ransomware affiliate actors to deploy malicious software.
The advisory provides information about threat actors’ TTPs — tactics, techniques and procedures — and indicators of compromise to help critical infrastructure organizations protect themselves from cyberattacks.
The authorities urged organizations to review their IP logs and apply patches and mitigations to address system vulnerabilities. They also advised monitoring systems for the unique identifiers and TTPs used by the actors when operating on compromised networks.