#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Iranian Hackers | Breaking Cybersecurity News | The Hacker News

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks
Feb 03, 2024 Intelligence Agency / Cyber Security
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The  officials  include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations. The Treasury Department  said  it's holding these individuals responsible for carrying out "cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company." In late November 2023, the U.S. Cybersecurity and Infras

Iranian Hackers Masquerade as Journalists to Spy on Israel-Hamas War Experts

Iranian Hackers Masquerade as Journalists to Spy on Israel-Hamas War Experts
Jan 18, 2024 Cyber Espionage / Threat Intelligence
High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called  Mint Sandstorm  since November 2023. The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the Microsoft Threat Intelligence team  said  in a Wednesday analysis, describing it as a "technically and operationally mature subgroup of Mint Sandstorm." The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft. Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is  known  for its  adept social engineering campaigns , even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective

Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know
Feb 13, 2024SaaS Security / Data Breach
The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems. In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised  OAuth tokens  from a prior breach at Okta, a SaaS identity security provider.  What Exactly Happened? Microsoft Midnight Blizzard Breach Microsoft was targeted by the Russian "Midnight Blizzard" hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin's forei

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector
Dec 22, 2023 Threat Intelligence / Supply Chain Attack
Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont. The findings come from Microsoft, which is tracking the activity under its weather-themed moniker  Peach Sandstorm  (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten. "FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers," the Microsoft Threat Intelligence team  said  on X (previously Twitter). The first recorded use of the implant was in early November 2023. The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft. In a report published in September 2023, Microsoft  linke

The Critical State of AI in the Cloud

cyber security
websiteWiz.ioArtificial Intelligence / Cloud Security
Wiz Research reveals the explosive growth of AI adoption and what 150,000+ cloud accounts revealed about the AI surge.

Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
Nov 02, 2023 Cyber Attack / Malware
The Iranian nation-state actor known as  MuddyWater  has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called  Advanced Monitoring Agent . Cybersecurity firm Deep Instinct, which disclosed details of the attacks,  said  the campaign "exhibits updated TTPs to previously reported MuddyWater activity," which has, in the past, used similar attack chains to distribute other remote access tools like  ScreenConnect, RemoteUtilities, Syncro , and  SimpleHelp . While the latest development marks the first time MuddyWater has been observed using N-able's remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor. The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter). The state-sponsored group is a  cyber

Iranian Nation-State Actor OilRig Targets Israeli Organizations

Iranian Nation-State Actor OilRig Targets Israeli Organizations
Sep 22, 2023 Cyber Attack / Malware
Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as  OilRig  in 2021 and 2022. The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously undocumented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential Manager. "Both backdoors were deployed by VBS droppers, presumably spread via spear-phishing emails," ESET security researcher Zuzana Hromcová  said  in a Thursday analysis. OilRig (aka APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten) is the name assigned to an  intrusion set  affiliated with Iran's Ministry of Intelligence and Security (MOIS). Active since 2014, the threat actor has used a wide range of tools at its disposal to carry out information theft. Earlier this February, Trend Micro  discovered  OilRig's use of a simple backdoor to steal users' credenti

Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users

Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
Jul 06, 2023 Endpoint Security / Malware
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware. "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint  said  in a new report. "When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed  multi-persona impersonation  in its unending espionage quest." TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called  CharmPower  (aka GhostEcho or POWERSTAR). In the attack sequence discove

Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks

Iranian Hackers Using POWERSTAR Backdoor in Targeted Espionage Attacks
Jun 30, 2023 Cyber Espionage/ Malware
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR . "There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week. The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda. Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiao

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon
Jun 29, 2023
The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called  PhonyC2  that's been put to use by the actor since 2021. Evidence shows that the custom made, actively developed framework has been leveraged in the  February 2023 attack on Technion , an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News. What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the  ongoing exploitation of PaperCut servers . "It is structurally and functionally similar to  MuddyC3 , a previous MuddyWater  custom C2 framework  that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection." MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
May 25, 2023 Ransomware / Endpoint Security
The Iranian threat actor known as  Agrius  is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm (formerly Americium), has a  track record  of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections. Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates  MuddyWater . It's known to be active since at least December 2020. In December 2022, the hacking crew was  attributed  to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong. These attacks involved the use of a .NET-based wiper-turned-ransomware called  Apostle  and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++. "The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabil

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
May 09, 2023 Cyber Espionage / Vulnerability
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft disclosed over the weekend. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint Sandstorm's continued ability to  rapidly incorporate [proof-of-concept] exploits  into their operations," Microsoft  said  in a series of tweets. On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group "using tools from prior intrusions to connect to their C2 infrastructure." It's worth noting that  Mango Sandstorm  is linked to Iran's Ministry of Intelligence and Security (MOIS) and  Mint Sandstorm  is associated with the Islamic

Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks

Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks
Apr 26, 2023
The prolific Iranian nation-state group known as  Charming Kitten  is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed  BellaCiao , adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. "Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm  said  in a report shared with The Hacker News. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps ( IRGC ). Over the years, the

Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor
Apr 25, 2023 Cyber Threat / PowerShell
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess . Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle  Educated Manticore , which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company  said  in a technical report published today. Active since at least 2011, APT35 has cast a  wide net of targets  by leveraging  fake social media personas ,  spear-phishing techniques , and  N-day vulnerabilities in internet-exposed applications  to gain initial access and drop various payloads, includi

Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems

Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems
Apr 19, 2023 Cyber Threat / SCADA
An Iranian government-backed actor known as  Mint Sandstorm  has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran's national priorities," the Microsoft Threat Intelligence team  said  in an analysis. Targeted entities consist of seaports, energy companies, transit systems, and a major U.S. utility and gas company. The activity is suspected to be retaliatory and in response to attacks targeting its maritime,  railway , and  gas station payment systems  that took place between May 2020 and late 2021. It's worth noting here that Iran subsequently  accused  Israel and the U.S. of masterminding the attacks on the gas stations in a bid to create unrest in the nation. Mint Sandsto

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
Apr 08, 2023 Cyber War / Cyber Threat
The Iranian nation-state group known as  MuddyWater  has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed  DEV-1084 . "While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant  revealed  Friday. MuddyWater  is the name assigned to an  Iran-based actor  that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017. It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster,

Iranian Hackers Target Women Involved in Human Rights and Middle East Politics

Iranian Hackers Target Women Involved in Human Rights and Middle East Politics
Mar 09, 2023 Cyber Espionage
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. "Notably the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region," Secureworks Counter Threat Unit (CTU)  said  in a report shared with The Hacker News. The cybersecurity company attributed the activity to a hacking group it tracks as  Cobalt Illusion , and which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor  has been   well-documented   over  the  years . The group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the governmen

Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack

Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack
Feb 06, 2023 Hacktivist / Cyber Attack
An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023. Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker  NEPTUNIUM , which is an Iran-based company known as Emennet Pasargad. In January 2022, the U.S. Federal Bureau of Investigation (FBI)  tied  the state-backed cyber unit to a sophisticated influence campaign carried out to  interfere  with the 2020 presidential elections. Two Iranian nationals have been indicted for their role in the disinformation and threat campaign. Microsoft's disclosure comes after a "hacktivist" group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses. The breach, which allowed NEPTUNI

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks
Jan 18, 2023 Cyber Espionage / Cyber Risk
The threat actor known as  BackdoorDiplomacy  has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its  constellation-themed  moniker  Playful Taurus , said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010. Slovak cybersecurity firm ESET, in June 2021,  unpacked  the intrusions mounted by the hacking crew against diplomatic entities and telecommunication companies in Africa and the Middle East using a custom implant known as Turian. Then in December 2021, Microsoft  announced  the seizure of 42 domains operated

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver
Dec 09, 2022 Malware / Iranian Hackers
The subgroup of an Iranian nation-state group known as  Nemesis Kitten  has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling  said . "All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions." The Iranian government-sponsored actor's malicious activities came under the radar earlier in February 2022, when it was  observed  exploiting  Log4Shell flaws  in unpatched VMware Horizon servers to deploy ransomware. Nemesis Kitten is  tracked  by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It's also a sub-clus
Cybersecurity Resources