Law enforcement agencies in the U.S., Britain, and Australia have issued a joint statement labeling an Iran-sponsored group as a serious threat to cyber security.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Center (ACSC), and British National Cyber Security Center (NCSC) released a joint cybersecurity advisory Wednesday that linked a group of hackers to the Iranian government.
The agencies also labeled the group an advanced persistent threat (APT) after it exploited Fortinet and Microsoft Exchange in March and October, respectively. The group gained access to the systems as part of an ongoing operation to deploy ransomware.
The advisory notes the group has actively targeted “a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Heath Sector, as well as Australian organizations.”
Authorities did not name the Iranian actors or tie them to a specific group working for the government.
Cybersecurity agencies in all three countries urged any organization using Microsoft Exchange and Fortinet to investigate any suspicious activity in their networks.
The U.S. has identified a number of foreign ransomware attacks over the past two years, most notably the Ryuk and Darkside groups, which authorities tied to Russia, but not to the Russian government.
Ryuk orchestrated a number of attacks on U.S. health care organizations and facilities during the peak of the coronavirus pandemic, delaying potentially life-saving treatments for patients, according to Radio Free Europe.
U.S. authorities tied Darkside to the Colonial Pipeline ransomware attack that occurred in May 2021.
Earlier this year, the Biden administration imposed sanctions on Russia for the SolarWinds computer hack, which began in 2020 when malicious code was sneaked into updates to popular software that monitors computer networks of businesses and governments.