Cyber Conflict Between US and Iran Heats Up

Cybersecurity agencies in the United States, the United Kingdom, and Australia warned on Wednesday that Iran-linked cyberattack groups were ramping up operations, targeting vulnerabilities in enterprise technology to compromise organizations in the US and Australia.

In a joint advisory issued Nov. 17, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) blamed Iran for a broad rise in attacks using vulnerabilities in Fortinet’s FortiOS and Microsoft Exchange. The attackers often activate BitLocker on compromised Windows machines to encrypt data for ransom or hinder operations, the agencies said.

Three Fortinet vulnerabilities have been used since at least March against US targets, while both the US and Australia have seen attacks targeting the Microsoft Exchange ProxyShell issue, the advisory stated.

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” stated CISA and the FBI in a joint advisory, adding that the attacks seem more focused on gaining advantage before organizations patch specific flaws, rather than specifically targeting critical infrastructure. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

These notices come less than three weeks after a top Iranian official blamed the US and Israel for attacks disrupting gasoline sales in Iran. In late October, Iran’s civil defense chief, Gholamreza Jalali, blamed “the Zionist Regime, the Americans and their agents” for the outage, which affected thousands of gas stations, according to a Reuters report.

FBI officials also reportedly sent out a private industry notification (PIN) warning companies that Iranian attackers are attempting to buy stolen data regarding email messages and network information on underground forums. They also warned companies that have had data stolen to watch out…