Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks
May 12, 2022
A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus). "Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision ," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain. The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also depl