CISA and FBI Alert on Iranian Ransomware Attacks Against US Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Department of Defense Cyber Crime Center (DC3), released a joint advisory warning on Iran-based cyber actors enabling ransomware attacks on U.S. organizations.  

‍

These actors, known by various names including Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, have been targeting both U.S. and foreign organizations across multiple sectors.

‍

Recent investigations by the FBI in August 2024 connect these groups to the Iranian government and an Iranian IT company. Their operations focus on deploying ransomware to gain and develop network access, which is then sold or shared with ransomware affiliates to enable future attacks.  

‍

This advisory also draws parallels with a 2020 advisory on Iran-based threat actors exploiting VPN vulnerabilities and provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group.

‍

Since 2017, these cyber actors have infiltrated a wide range of U.S. organizations, including schools, financial institutions, municipal governments, and healthcare facilities. The FBI has observed these actors monetize access to victim networks on cyber marketplaces, offering full domain control and admin credentials.  

‍

They have collaborated with ransomware groups like NoEscape, Ransomhouse, and BlackCat /ALPHV, and assist with ransomware encryption operations in exchange for ransom profits.

‍

Beyond ransomware, the group has conducted hack-and-leak campaigns such as Pay2Key, which targeted Israeli infrastructure in 2020. The FBI believes this was not for financial gain but rather an information operation aimed at undermining security in Israel.  

‍

While some of their ransomware activities may be unsanctioned by the Iranian government, their attacks on defense and sensitive networks suggest a connection with Iran’s state-sponsored cyber agenda.

‍

Takeaway: There is growing evidence that cybercriminals and nation-states are increasingly sharing tactics, techniques, and procedures (TTPs) and utilizing common attack infrastructure.  

‍

This convergence has created a landscape where nation-states can claim plausible deniability for certain cyber activities, particularly through ransomware attacks. Today, we see three primary models of nation-state and criminal collaboration in ransomware operations.

‍

The first is the Russian model, where criminal ransomware engage in attacks for financial gain that also happen to align with the geopolitical aspirations of the Russian government.  

‍

This suggests that many Russian ransomware operators are either directly controlled or heavily influenced by the Russian government, especially in terms of their targeting and tactics.

‍

The second is the Iranian model, where ransomware or destructive wipers are deployed as a distraction or to cause disruption. In some cases, no ransom is demanded, or there is little effort to collect payment, indicating these attacks are not financially motivated but rather serve strategic purposes.

‍

The third model involves North Korea (DPRK), where nation-state ransomware actors use ransomware not only to disrupt targeted nations but also to raise funds for the cash-strapped regime.

‍

These examples demonstrate how criminal groups have advanced their capabilities by adopting APT-level tactics. Simultaneously, nation-state actors benefit from plausible deniability, as many of their attacks can be disguised as cybercriminal operations.

‍

Given the dual nature of these ransomware attacks—financial gain and furthering geopolitical objectives—it is crucial for the U.S. and its allies to recognize such attacks as acts of terrorism.  

‍

When ransomware targets critical infrastructure, risking lives, these attacks should be reclassified as a serious national security threat rather than a simple criminal act.  

‍

This shift in classification could open up more options for offensive cyber responses and even traditional military action, rather than relying on standard defensive measures.  

‍

Recognizing a subset of ransomware attacks that target critical infrastructure as national security threats would allow for a different set of responses to these threats and allow for more decisive action in protecting national security.

‍

Earlier this summer, the Senate Intelligence Committee advanced a significant proposal as part of its annual measure to authorize U.S. intelligence community operations, which aims to tackle the growing threat of ransomware by treating it as terrorism.

‍

The bill, sponsored by Committee Chairman Mark Warner, introduces novel measures to combat ransomware. It proposes labeling ransomware gangs as “hostile foreign cyber actors,” designating countries that harbor these actors as “state sponsors of ransomware,” and imposing sanctions on those nations.  

‍

Additionally, the bill seeks to grant the U.S. intelligence community enhanced legal authority to pursue ransomware actors by prioritizing ransomware as a national intelligence threat.

‍

While the U.S. Justice Department has previously elevated ransomware investigations to a terrorism-level priority, the Senate Intelligence Committee’s proposal would be the first U.S. law to formally equate ransomware with terrorism.

‍

‍

‍Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.