The bar of Cyberattacks has been rising day by day. Continuously the attacks are becoming more frustrating. In this condition, nobody could steal a glance from their system’s security and online management. That’s because adversaries got their hands on the malicious techniques that could give them the power to exploit vulnerabilities of the systems to breach data.
To do that, they are targeting big companies to get big money loot. Cyberpunks have already advanced their tactics. Earlier, adversaries were able to deceive people by sending links to get access to their systems or network.
But now, they can access the victim’s laptop from a far distance and with less stress on strategy making. They can even change or modify your data’s content or context. Recently something big came into the spotlight.
On Friday, Iran’s Ministry of Intelligence and Security got sanctioned by the U.S. Treasury Department with the Minister of Intelligence. The person who was sanctioned was Esmaeil Khatib. That’s because they were caught indulging in Cyber Attacks against the nation and its allies.
The U.S. Treasury Department
According to the Treasury, after 2007, MOIS and its companions have been doing Cyber Attacks while targeting various government and private-sector organizations globally and around several critical infrastructure sectors.
Iranian State-Sponsored Actors were accused by the Agency of planning attacks for disrupting the Albanian Government’s computer systems between July, 2022. It temporarily caused the sudden stop of the online services of the accused.
|The U.S. Cyber Command already got to know about the advanced persistent threat (APT) “MuddyWater” as a companion of MOIS, where it was already 9 months old, after which the development came.
It came after 2 years of the Treasury’s ban against a different Iranian APT group known as APT39 aka Chafer/ Radio Serpens.
Effect of Sanctions
U.S. businesses and Citizens had to leave transacting with MOIS, Khatib, and Non-U.S. citizens after Friday’s ban. This action was taken so that those people wouldn’t go with the flow on the same wavelength as the Accused Ones.
Tech Giant also claims that Groups offering initial access and exfiltrating data to Iranian MOIS-linked hacking collective codenamed Europium was responsible for them. The MOIS aka APT34, Cobalt Gypsy, Helix Kitten, or OilRig.
Coinciding with the economic blockade, the Albanian government said the cyberattack on the digital infrastructure was “orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression.”
|Microsoft who observed the Cyberattacks said – “adversaries worked in a group to carry out the steps of the attacks, in which each cluster took the responsibility for various aspects of the goal”.
● DEV-0842 deployed the ransomware and wiper malware
● DEV-0861 gained initial access and exfiltrated data
● DEV-0166 (aka IntrudingDivisor) exfiltrated data, and
● DEV-0133 (aka Lyceum or Siamese Kitten) probed victim infrastructure
“The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers,” it said in a technical deepdive. “The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests.”
Microsoft reports were having similarities with the analysis via Google’s Mandiant. It was assumed as a politically motivated activity that was described as “Iranian disruptive cyber operations‘ geographic expansion.”
Microsoft is picturing the cyberattack event as a “form of direct and calculated revenge, for a string of cybercrimes on Iran. That included one planned by an Iranian Hacker Group that’s dedicated to Mujahedin-e-Khalq (MEK) in July’s first week, 2022.
“Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior Cyberattacks with MEK-related messaging,” the Windows maker said.
According to the firm, “the impact of the damage from Iranian adversaries on the customer environment was around 10%. Moreover, there were several things they did to increase the rampage. Those were:
● For continuous damage, Web Shells were involved in post-exploitation
● Anonymous Executables for Reconnaissance
● Data Breaching Tactics
● Defense evasion techniques to turn off security products.
Impacts of Attacks
A SharePoint Remote Code Execution flaw (CVE-2019-0604) was exploited in Early May 2021, that’s claimed to be the cause of rising Initial access to Albanian government victim’s networks. That happened after the exfiltration of email via victimized networks around Oct 2021 – Jan 2022.
Via Jason (Tool) a similar case of email breaching was found around Nov 2021 – May 2022. Moreover, due to that, ROADSWEEP (Ransomware Strain) and ZeroCleare (Wiper Malware) were deployed.
People’s Mujahedin Organization of Iran
The MEK, also known as the People’s Mujahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its government.
Reaction From Foreign Ministry of Iran
Iran’s Foreign Ministry, however, has rejected accusations that the country was behind the digital offensive on Albania, calling them “baseless” and that it’s “part of responsible international efforts to deal with the threat of Cyberattacks.”
It further condemned the sanctions and called the act based on “false and unproven” accusations, stating it “will use all its capabilities within the framework of international law to uphold the Iranians‘ rights and defend itself against these sinister conspiracies.” The Ministry also accused the U.S. of “giving full support to a terrorist sect”, referring to MEK.
Kindly read more articles :