wordpress blog stats
Connect with us

Hi, what are you looking for?

Iran-backed cyber attackers targeting critical infrastructure of US, Australia: US, UK agencies

A “joint cybersecurity advisory” was issued by the FBI, CISA, UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC)

Iranian government-sponsored advanced persistent threat (APT) group has been targeting the critical infrastructure of the United States of America by exploiting vulnerabilities in Microsoft Exchange and Fortinet, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) claimed.

This claim, which came as part of a “joint cybersecurity advisory” issued by the FBI, CISA, UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC), said that the cyber attackers are targeting a broad range of sectors such as transportation, healthcare and public health in the US, as well as Australian organizations.

Russia, China and Iran have been in the cross-hairs of the US government for allegedly perpetrating state-sponsored cyberattacks targeting the country’s critical infrastructure. The Biden administration has been publicly calling out both these nation-states over these alleged attacks. This was reiterated by Biden when he met his Russian counterpart Vladimir Putin in June this year.

Attacks on critical infrastructure lead to a decline in trust between governments online, and lend themselves to retaliatory measures. In some instances, they lead to pushes for closing up of the Internet, and for firewalls and data localisation, thus having an impact on the openness of the Internet.

Observed Iranian activity since March 2021: Advisory

The FBI and CISA have observed alleged Iranian government-sponsored activities on Microsoft Exchange and Fortinet vulnerabilities since March 2021. Here is a brief timeline of what they observed:

Advertisement. Scroll to continue reading.
  • March 2021: “The FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591,” the advisory said. According to Cloudflare, a port is a virtual point where network connections start and end. It is managed by a computer’s operating system and each port is associated with a specific process. Cloudflare also said that ports allow computers to easily differentiate between different kinds of traffic
  • May 2021: The advisory said that the Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a US municipal government. “The actors likely created an account with the username “elie” to further enable malicious activities,” it claimed.
  • June 2021:  APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children, the advisory said.
  • October 2021: The advisory added that the actors have leveraged a Microsoft Exchange ProxyShell vulnerability “CVE-2021-34473” to gain access to systems in advance of follow-on operations.

How did the Iranian actors gain access?

The advisory said that the APT actors may have created new user accounts on domain controllers, servers, workstations, and active directories. “Some of these accounts appear to have been created to look similar to other existing accounts on the network,” it said.

These are the following account usernames that the FBI and CISA identified to have been associated with this activity:

  • Support
  • Help
  • elie
  • WADGUtilityAccount

The Iranian actors also may have abused the Windows Task Scheduler to perform task scheduling for recurring execution of malicious code, the advisory said. “These modifications may display as unrecognized scheduled tasks or actions,” it added.

These actors have also been exploiting known vulnerabilities for conducting “follow-on operations, such as data exfiltration or encryption, ransomware, and extortion”, the advisory said. The APT actors also allegedly forced victims to activate Bitlocker to encrypt data and sent ransom demands from emails such as —

  • sar_addr@protonmail[.]com
  • WeAreHere@secmail[.]pro
  • nosterrmann@mail[.]com
  • nosterrmann@protonmail[.]com

What tools have the Iranian attackers used?

The APT actors have used the following tools for a variety of tactics across the enterprise spectrum, the advisory said.

  • Mimikatz for credential theft
  • WinPEAS for privilege escalation
  • SharpWMI (Windows Management Instrumentation)
  • WinRAR for archiving collected data
  • FileZilla for transferring files

Organisations using Microsoft Exchange and Fortinet should investigate their networks: Advisory

The FBI, CISA, ACSC, and NCSC gave a slew of recommendations which include organisations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. Others are —

  • Search for indicators of compromise (IOC)
  • Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise
  • Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts
  • Review Task Scheduler for unrecognized scheduled tasks
  • Review antivirus logs for indications they were unexpectedly turned off
  • Look for WinRAR and FileZilla in unexpected locations

Also Read: 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ