The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. organizations.
This includes organizations across several sectors in the United States – including in the education, finance, healthcare, and defense sectors as well as local government entities.
The FBI said it assesses a significant percentage of these threat actors’ operations against U.S. organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further said these Iran-based cyber actors are associated with the government of Iran.
According to the CSA, these cyber actors are known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm.
These operations aid malicious cyber actors in further collaborating with affiliate actors – including ALPHV Blackcat – to continue deploying ransomware.
“CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in this joint advisory to reduce the likelihood and impact of ransomware incidents,” the CSA says.
Mitigations include reviewing logs for indications of traffic, applying patches, and checking systems for unique identifiers used by the actors.
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating security programs against the threat behaviors mapped in the CSA.
