The US Treasury Department on Friday announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and its Intelligence Minister Esmaeil Khatib for involvement in cyber-enabled activities against the nation and its allies.
“Since at least 2007, the MOIS and its proxies of cyber actors have conducted malicious cyber operations targeting a range of government and private sector organizations around the world and in various critical infrastructure sectors,” the Treasury Department said.
The agency also accused state-sponsored Iranian actors of conducting disruptive attacks on Albanian government computer systems in mid-July 2022, forcing them to shut down their online services.
The development comes nearly nine months after the US Cyber Command characterized the Advanced Persistent Threat (APT) known as MuddyWater as a subordinate element within MOIS. It also comes nearly two years after Treasury Department sanctions against another Iranian APT group called APT39 (aka Chafer or Radio Serpens).
Friday’s sanctions effectively ban US companies and citizens from conducting transactions with MOIS and Khatib, and non-US citizens conducting transactions with the designated entities may face sanctions themselves.
Coinciding with the economic blockade, the Albanian government said the cyberattack on digital infrastructure was “orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that carried out the aggression.”
Microsoft, which investigated the attacks, said the adversaries worked together to carry out different phases of the attacks, with each cluster responsible for a different aspect of the operation –
- DEV-0842 deployed the ransomware and wiper malware
- DEV-0861 gained initial access and exfiltrated data
- DEV-0166 (aka IntrudingDivisor) exfiltrated data and
- DEV-0133 (aka Lyceum or Siamese Kitten) studied victim infrastructure
The tech giant’s threat intelligence teams also attributed the groups involved in gaining initial access and data exfiltration to the Iranian MOIS-affiliated hacking collective, codenamed Europium, also known as APT34, Cobalt Gypsy , Helix Kitten or OilRig.
“The attackers responsible for the data penetration and exfiltration used tools previously used by other known Iranian attackers,” a technical deep dive said. “The attackers responsible for data penetration and exfiltration targeted other sectors and countries aligned with Iranian interests.”
“The Iran-sponsored destruction attempt had less than 10% overall impact on the customer environment,” the company noted, adding that post-exploitation actions included use of web shells for persistence, unknown executables for reconnaissance, techniques to Credential gathering and more included defense bypass methods to knock out security products.
Microsoft’s findings align with previous analysis by Google’s Mandiant, which called the politically motivated activity a “geographical expansion of Iranian disruptive cyber operations.”
The first access to an Albanian government victim’s network is said to have occurred as early as May 2021 through the successful exploitation of a SharePoint remote code execution vulnerability (CVE-2019-0604), followed by the exfiltration of emails from the compromised network between October 2021 and January 2022.
A second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely by a tool called Jason. Additionally, the intruders led to the deployment of ransomware called ROADSWEEP, which eventually led to the distribution of a wiper malware called ZeroClare.
Microsoft characterized the destructive campaign as a “form of direct and proportionate retaliation” for a series of cyberattacks on Iran, including one orchestrated by an Iranian hacktivist group affiliated with Mujahedin-e-Khalq (MEK) in the first week of July 2022.
The MEK, also known as the People’s Mujahedin Organization of Iran (PMOI), is an Iranian dissident group mostly based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install a government of its own.
“Some of the Albanian organizations targeted by the destructive attack were the corresponding organizations and government agencies in Iran that experienced previous cyber attacks with MEK-related messages,” the Windows maker said.
However, Iran’s foreign ministry has denied allegations that the country was behind the digital offensive against Albania, calling it “unfounded” and “part of responsible international efforts to address the threat of cyberattacks”.