- The U.S. Treasury Department on Friday announced sanctions against Iran’s Ministry of Intelligence and Security as well as its Minister of Intelligence for malicious cyber activity targeting the U.S. and allies globally.
- The Office of Foreign Assets Control said Iran has engaged in malicious cyber activity against government and private sector organizations, including critical infrastructure targets, since at least 2007. Threat actors linked to Iran and the MOIS launched attacks in July against computer systems of the Albanian government, a NATO ally. Albania had to suspend online services for its citizens in response to the attack.
- U.S. authorities earlier this year identified a group of advanced persistent threat actors, known as MuddyWater, active since 2018 that operate as a unit within MOIS. The group has exploited publicly known vulnerabilities to deploy ransomware, target private organizations and access sensitive data on computer systems.
The designation comes at a time of heightened tension between Iran and the U.S. and its allies. President Joe Biden recently took military action against Iran-linked groups in Syria and talks have intensified in recent weeks in an attempt to renegotiate the Iran nuclear deal.
“MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security services the Islamic Revolutionary Guard Corps,” John Hultquist, VP at Mandiant Threat Intelligence, said in a statement. “They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personal identifiable information.”
Mandiant linked a new APT actor, called APT 42, to the intelligence service of Iran’s Islamic Revolutionary Guard Corp, in a report released last week. The actor, which was previously tracked as UNC788, has targeted dissidents and organizations considered to be opponents of Iran around the world.
The newly identified APT actor is unreleated to the Treasury activity currently sanctioned by U.S. authorities, according to a Mandiant spokesperson.
The group has engaged in harvesting credentials through spear phishing campaigns against corporate and individual targets, surveillance and deploying malware, according to Mandiant.