The Treasury Department has sanctioned six Iranian military hackers for cyberattacks against U.S. water companies, with the hackers posing as anti-Israel activists. The attacks, which occurred late last year, did not disrupt critical services but underscore the risk of internet-connected infrastructure and the potential for regional conflicts to lead to global cyberattacks. The hackers targeted Israeli infrastructure, particularly water systems, and successfully breached American facilities by exploiting default passwords. The sanctions prohibit American individuals and companies from doing business with the hackers, who were identified as a front for the Islamic Revolutionary Guard Corps.
US authorities are working to contain a hacking campaign by Iranian hackers targeting multiple drinking water and sewage systems across the country. A small number of water utilities have been compromised, but there has been no known impact on safe drinking water or operational systems. The hackers, affiliated with the Iranian Government's Islamic Revolutionary Guard Corps, have been targeting programmable logic controllers made by an Israeli company called Unitronics, which are commonly used in water and wastewater systems. US agencies have issued a cybersecurity advisory warning about the breach potential of these controllers if connected to the internet. The fragmented nature of the US water industry and the lack of basic cybersecurity protections in many systems exacerbate the problem.
Multiple water utilities in the US running the same Israeli-made computer system have been breached by hackers, according to federal officials. The cyberattacks, which have targeted less than 10 water facilities, have not caused disruptions or threatened drinking water. The hackers have defaced computer screens in low-level attacks, raising concerns among US officials. US and Israeli authorities have attributed the attacks to hackers affiliated with the Iranian government. Efforts are underway to remove industrial equipment from the internet to prevent further hacks. The US water sector has struggled to address cybersecurity threats due to limited resources.
Iranian hacker group Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, has been targeting transportation, logistics, and technology firms in Israel. The group, linked to the Iranian Revolutionary Guard Corps, has been active since 2017 and has targeted various sectors including defense, technology, telecommunications, maritime, energy, and consulting services. The recent attacks involved phishing emails with malicious attachments, allowing the hackers to gain access to the network and move laterally. The attacks were discovered by cybersecurity company CrowdStrike, who provided indicators of compromise for the malware and infrastructure used.
Iranian hacker group Scarred Manticore, believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), has been conducting an ongoing espionage campaign targeting government, military, and telecom sectors in the Middle East, including Saudi Arabia, UAE, Jordan, Kuwait, Oman, Iraq, and Israel. The group, active since at least 2019, has been infiltrating organizations to exfiltrate data using advanced malware called Liontail, which allows remote command execution. Scarred Manticore's tools and capabilities demonstrate the progress Iranian actors have made, and while there are overlaps with the Iranian hacker group OilRig, attribution is not definitive. The group's operations are expected to continue and potentially expand into other regions aligned with Iranian long-term goals.
Iranian state-backed hackers have been targeting satellite, defense, and pharmaceutical firms in the US and globally, aiming to gather intelligence and potentially develop domestic production in these industries amidst heavy US sanctions. Microsoft analysts revealed that the hackers have successfully breached a few dozen organizations using a blunt hacking technique, highlighting their determination to access valuable intelligence. The sanctions have increased Iran's incentive to search for trade secrets held by foreign companies. The cyber-espionage campaign has continued throughout the summer, with the hackers employing a method of compromising identities by guessing common passwords. The Iranian government typically denies allegations of hacking, and the specific US companies breached have not been disclosed.
Iranian-backed threat group APT33, also known as Peach Sandstorm, has been conducting password spray attacks since February 2023, targeting thousands of organizations worldwide, including those in the defense, satellite, and pharmaceutical sectors. The group has been active since 2013 and has shown interest in various industry verticals. Microsoft's Threat Intelligence team has observed the hackers using sophisticated tactics, such as exploiting unpatched appliances and using compromised Azure credentials. The attacks are believed to be aimed at facilitating intelligence collection in support of Iranian state interests. Password spray attacks have become increasingly popular, accounting for a significant number of enterprise account compromises.
Iranian hackers accessed a US municipal website for reporting unofficial election results in 2020 but were kicked off the network by US military hackers and didn’t have any impact on voting, a top US general said. The US military then executed its own cyber operation to kick the Iranians off of the network of the US city to ensure the Iranian hackers were “unable to come back into the network” in the runup to the 2020 election. The episode illustrates how cyberspace has become a key frontier in various governments’ efforts to shape, influence and defend elections.
Iranian threat actor MuddyWater has been using the legitimate remote support software SimpleHelp to ensure persistence on victim devices. The group, believed to be a subordinate element within Iran's Ministry of Intelligence and Security, has previously used ScreenConnect, RemoteUtilities, and Syncro. SimpleHelp is not compromised and is used as intended, with the threat actors downloading the tool from the official website. The exact distribution method used to drop the SimpleHelp samples is currently unclear, although the group is known to send spear-phishing messages bearing malicious links from already compromised corporate mailboxes.
