The US Treasury Department on Friday announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and its intelligence minister, Esmaeil Khatib, for engaging in active cyber activities against the nation and its allies.
“Since at least 2007, MOIS and its cyber agents have conducted malicious cyber operations targeting a variety of government and private sector organizations around the world and in various critical infrastructure sectors,” Treasury said.
The agency also accused Iranian state-sponsored actors of orchestrating disruptive attacks targeting the Albanian government’s computer systems in mid-July 2022, an incident that forced the latter to temporarily suspend its online services.
The development comes nearly nine months after the US Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes almost two years after Treasury sanctions against another Iranian APT group called APT39 (aka Chafer or Radio Serpens).
Friday’s sanctions effectively prohibit US businesses and citizens from engaging in transactions with MOIS and Khatib, and non-US citizens who transact with the designated entities could be exposed to sanctions.
Coinciding with the economic blockade, the Albanian government said the cyber attack on digital infrastructure was “orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that carried out the aggression”.
Microsoft, which investigated the attacks, said the adversaries worked together to carry out separate phases of the attacks, with each group responsible for a different aspect of the operation –
- DEV-0842 installed malware and wipers
- DEV-0861 gained initial access and extracted data
- DEV-0166 (aka IntrudingDivisor) exfiltrated data and
- DEV-0133 (aka Lyceum or Siamese Kitten) investigated victim infrastructure
The tech giant’s threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating the data to the MOIS-linked Iranian hacker collective codenamed Europium, which is also known as APT34, Cobalt Gypsy, Helix Kitten or OilRig.
“The attackers responsible for the intrusion and data extraction used tools previously used by other known Iranian attackers,” he said in a technical dive. “The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are in line with Iranian interests.”
“The Iranian-sponsored destruction attempt had less than 10% total impact on the customer’s environment,” the company noted, adding that post-exploitation actions included the use of web shells for persistence, unknown executables for detection, credential harvesting and protection avoidance methods to disable security products.
Microsoft’s findings match earlier analysis by Google’s Mandiant, which called the politically motivated activity a “geographic expansion of Iran’s disruptive cyber operations.”
Initial access to an Albanian government victim’s network reportedly occurred as early as May 2021 through successful exploitation of a SharePoint remote code execution flaw (CVE-2019-0604), followed by email exfiltration from the network of compromised between October 2021. and January 2022.
A second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely through a tool called Jason. Additionally, the intrusions included the deployment of a ransomware strain called ROADSWEEP and the distribution of a sweeper malware referred to as ZeroCleare.
Microsoft characterized the destructive campaign as a “direct and proportionate form of retaliation” for a string of cyberattacks on Iran, including one carried out by an Iranian hacktivist group linked to the Mujahedin-e-Khalq (MEK) in the first week of July 2022.
The MEK, also known as the People’s Mujahideen Organization of Iran (PMOI), is an Iranian dissident group based primarily in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government.
“Some of the Albanian organizations targeted in the devastating attack were equivalent organizations and government agencies in Iran that experienced previous cyber attacks with MEK-related messages,” the Windows maker said.
Iran’s Foreign Ministry, however, has rejected accusations that the country is behind the digital offensive against Albania, calling them “baseless” and that it is “part of responsible international efforts to deal with the threat of cyber attacks “.
He further condemned the sanctions and called the act based on “false and unproven” allegations, saying he “will use all his capabilities within the framework of international law to uphold the rights of Iranians and defend himself against these evil conspiracies”. The ministry also accused the US of “giving full support to a terrorist sect,” referring to the MEK.
