The FBI and CISA have observed an Iranian government-sponsored APT group that is exploiting vulnerabilities to gain access to systems. The APT group has exploited the same Microsoft Exchange vulnerability in Australia.
Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the healthcare and public health sector, as well as Australian organisations.
This joint cyber security advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran.
FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors.
These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware and extortion.
The FBI, CISA, ACSC, and NCSC urge critical infrastructure organisations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.