At the CyberWarCon 2021, the Microsoft Threat Intelligence Center (MSTIC) assessed the evolution of numerous Iranian threat actors, with their results revealing increasingly sophisticated attacks. Microsoft has been investigating six Iranian cyber organizations that have been spreading ransomware and exfiltrating data to cause disruption and devastation for victims since September 2020.
These hacker gangs have matured into formidable threat actors capable of cyber-espionage, employing multi-platform malware, interrupting operations with wipers and ransomware, phishing and password spraying assaults, and even building up complex supply chain activities. To fulfill their goals, all these groups used ransomware, distributed in waves, generally six to eight weeks apart.
Actors were seen searching for various vulnerabilities this year, including ones targeting Fortinet FortiOS SSL VPN, Microsoft Exchange Servers susceptible to ProxyShell, and more. This year, the attackers have collected approximately 900 valid credentials in plain text by scanning for unpatched Fortinet VPN systems alone.
Another tendency that has evolved in social engineering efforts over the last year is a higher level of patience and perseverance, indicative of a skilled actor. Earlier, actors like Phosphorus (Charming Kitten) would send unsolicited emails containing malicious links and poisoned files, a mass strategy that was only partially successful.
Phosphorus is now using the time-consuming route of “interview invites,” which was pioneered by the North Korean hacker organization “Lazarus.” As part of the interview phase, Phosphorus actors phone the targets and coach them through clicking on credential harvesting pages.
Curium is a new gang that uses similarly patient techniques, according to Microsoft experts. This actor uses a huge network of false social media profiles, most of which are disguised as attractive women. They contact the targets and develop a relationship with them over time, conversing regularly and earning their confidence.
Later, one day, they transmit a malicious document that seems identical to previously delivered benign files, resulting in stealthy malware distribution. A hacker group affiliated with Hamas employed a similar strategy, creating bogus dating applications to trick Israel Defense Forces (IDF) into installing malware-laced mobile apps. It’s not clear whether the two efforts are connected.
For over a decade, Microsoft has been following Iranian actors and successfully brought sections of their infrastructure down. Despite these measures, Phosphorus has inflicted tremendous damage, with the hacking of high-ranking officials in October of last year being a prominent example. Phosphorus is not only alive and thriving but also a shape-shifting menace supported by collaborators of extraordinary pluralism, according to MSTIC’s latest findings.
