The US Treasury Department on Friday announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and its Intelligence Minister, Esmaeil Khatib, for engaging in cyber activities against the nation and its allies.
“Since at least 2007, MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private sector organizations across the globe and in various critical infrastructure sectors,” the Treasury said. . said.
The agency also accused Iranian state-sponsored actors of stage disruptive attacks targeting Albanian government computer systems in mid-July 2022, forcing it to suspend its online services.
The development comes nearly nine months after US Cyber Command characterized the Advanced Persistent Threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes nearly two years after Treasury sanctions against another Iranian APT group dubbed APT39 (aka Chafer or Radio Serpens).
Friday’s sanctions effectively prohibit U.S. companies and citizens from engaging in transactions with MOIS and Khatib, and non-U.S. citizens who engage in transactions with the designated entities may themselves be subject to sanctions. .
Coinciding with the economic blockade, the Albanian government said the cyberattack on the digital infrastructure was “orchestrated and sponsored by the Islamic Republic of Iran through the involvement of four groups that carried out the aggression”.
Microsoft, which investigated the attacks, said the adversaries worked in tandem to carry out separate phases of the attacks, with each cluster responsible for a different aspect of the operation –
- DEV-0842 Deployed Ransomware and Erase Malware
- DEV-0861 gained initial access and exfiltrated data
- DEV-0166 (aka IntrudingDivisor) exfiltrated data, and
- DEV-0133 (aka Lyceum or Siamese Kitten) probed victim infrastructure
The tech giant’s threat intelligence teams have also attributed the groups involved in gaining initial access and exfiltrating the data to Iran’s MOIS-linked hacking collective named Europium, also known as name of APT34, Cobalt Gypsy, Helix Kitten or OilRig.
“The attackers responsible for the data intrusion and exfiltration used tools previously used by other known Iranian attackers,” he added. said in a technical dive. “The attackers responsible for the data intrusion and exfiltration targeted other sectors and countries consistent with Iranian interests.”
“The Iranian-sponsored destruction attempt had less than 10% total impact on the client environment,” the company noted, adding that post-exploitation actions involved the use of web shells for persistence. , unknown executables for recognition, credential gathering techniques and defense evasion methods to disable security products.
Microsoft’s findings are consistent with Mandiant’s previous analysis of Google, which called the politically motivated activity a “geographic expansion of Iran’s disruptive cyber operations.”
The initial network access of an Albanian government victim allegedly occurred as early as May 2021 via the successful exploitation of a SharePoint remote code execution flaw (CVE-2019-0604), followed by an exfiltration of emails from the compromised network between October 2021 and January 2022.
A second parallel wave of email collection was observed between November 2021 and May 2022, likely via a tool called Jason. In addition to this, the intrusions resulted in the deployment of ransomware called ROADSWEEP, ultimately leading to the distribution of malware called ZeroCleare.
Microsoft called the destructive campaign a “direct and proportionate form of retaliation” for a series of cyberattacks on Iran, including one staged by an Iranian hacktivist group which is affiliated with Mujahedin-e-Khalq (MEK) in the first week of July 2022.
The MEK, also known as the People’s Mojahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government .
“Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that had previously suffered cyberattacks with MEK-related messages,” the Windows maker said.
However, the Iranian Foreign Ministry has charges dismissed that the country was behind the digital offensive against Albania, calling it “baseless” and that it “is part of responsible international efforts to deal with the threat of cyberattacks”.